Bug 1656738
| Summary: | selinux block vsock protocol transfer data from guest to host | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | FuXiangChun <xfu> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 8.0 | CC: | chayang, juzhang, lvrabec, mmalik, plautrba, qzhang, ssekidde, stefanha, wchadwic, xfu, yfu | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 8.1 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-11-05 22:09:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1673107, 1682526 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Comment 1
FuXiangChun
2018-12-06 08:29:14 UTC
Hi, Could you reproduce your scenario and then attach output of: # ausearch -m AVC -m USER_AVC -ts today THanks, Lukas. Created attachment 1511997 [details]
ausearch output
Okay, your system is mislabeled. Please run: # restorecon -Rv / and repeat the scenario. (In reply to Lukas Vrabec from comment #4) > Okay, your system is mislabeled. > > Please run: > > # restorecon -Rv / restorecon -Rv / Relabeled /boot/loader/entries/cc97fdbdcd3041e7b8d7ee8938049da7-4.18.0-48.el8.x86_64.conf from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0 Relabeled /boot/loader/entries/cc97fdbdcd3041e7b8d7ee8938049da7-0-rescue.conf from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0 /dev/tty1 not reset as customized by admin to unconfined_u:object_r:user_tty_device_t:s0 Relabeled /home/win2016.qcow2 from unconfined_u:object_r:home_root_t:s0 to unconfined_u:object_r:default_t:s0 Relabeled /run/user/0 from system_u:object_r:tmpfs_t:s0 to system_u:object_r:user_tmp_t:s0 Relabeled /etc/X11/xorg.conf.d/00-keyboard.conf from system_u:object_r:var_lib_t:s0 to system_u:object_r:xserver_etc_t:s0 Relabeled /usr/sbin/dumpe2fs from system_u:object_r:bin_t:s0 to system_u:object_r:fsadm_exec_t:s0 Relabeled /usr/sbin/e2mmpstatus from system_u:object_r:fsadm_exec_t:s0 to system_u:object_r:bin_t:s0 Relabeled /usr/local/lib/python3.6/site-packages/avocado_framework_plugin_result_html-66.0-py3.6.egg from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:lib_t:s0 Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/PKG-INFO from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0 Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/SOURCES.txt from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0 Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/dependency_links.txt from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0 Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/top_level.txt from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0 > > and repeat the scenario. # ./nc-vsock -l 1234 Connection from cid 2 port 1055... still can reproduce this issue. Thanks, Could you attach also output of: # ausearch -m AVC -m USER_AVC -ts today Thanks, Lukas. Lukas,
This is ausearch output
# ausearch -m AVC -m USER_AVC -ts today
----
time->Mon Dec 10 11:17:28 2018
type=PROCTITLE msg=audit(1544411848.529:82): proctitle=2E2F6E632D76736F636B002D6C00313233
type=SYSCALL msg=audit(1544411848.529:82): arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=7ffe29de8170 a2=1000 a3=fffffffffffff5ea items=0 ppid=6717 pid=6738 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="nc-vsock" exe="/root/nc-vsock" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1544411848.529:82): avc: denied { read } for pid=6738 comm="nc-vsock" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=vsock_socket permissive=0
Thanks, Could you attach also: # ps -efZ | grep unlabeled Thanks, Lukas. (In reply to Lukas Vrabec from comment #8) > Thanks, > > > Could you attach also: > > # ps -efZ | grep unlabeled > > Thanks, > Lukas. Inside guest: # ps -efZ | grep unlabeled unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6766 6726 0 13:30 pts/0 00:00:00 grep --color=auto unlabeled In host: # ps -efZ | grep unlabeled unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3599 3309 0 00:31 pts/1 00:00:00 grep --color=auto unlabeled Hmm, this bug will be more complicated. Can you create some VM and allow me access that machine with root access? THanks, Lukas. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 Hi Lukas, I hit this issue when test with RHEL8.0.0.z, so i am wring to ask do we need to backport this fix from RHEL8.1.0 to RHEL8.0 ? Our automation strategy depends on this info, looking forward to your reply, thanks a lot! Best regards Yanan Fu The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |