Bug 1714896

Summary: incomplete policy for libvirt daemons
Product: Red Hat Enterprise Linux 7 Reporter: Doran Moppert <dmoppert>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 7.6CC: berrange, lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: AutoVerified
Target Release: 7.8   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-255.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1733185 (view as bug list) Environment:
Last Closed: 2020-03-31 19:10:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1733185    

Description Doran Moppert 2019-05-29 06:40:10 UTC
In bug 1706067, it looked like selinux was preventing exploitation of a libvirt CVE but further investigation showed some problems with the confinement leading to an easy bypass.

Two issues:
 - virtlockd should run in a confined context more similar to virtlogd_t than virtd_t
 - the virtlogd_t context probably needs much less filesystem access than it has

Quoting bug 1706067 comment 12:
In reply to comment #12:
> In reply to comment #4:
> > SELinux context for the virtlogd process prevents it reading the client's
> > /proc/X/stat entry
> 
> To be more specific, the full AVC denial message is:
> 
> > type=AVC msg=audit(1557278958.370:7143): avc:  denied  { search } for  pid=27744 comm="virtlogd" name="24609" dev="proc" ino=31260969 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
> > 
> > type=SYSCALL msg=audit(1557278958.370:7143): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f7b60003870 a2=0 a3=0 items=0 ppid=1 pid=27744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
> 
> This is triggered by the openat() call from the chain
> virNetSocketGetUNIXIdentity() -> virProcessGetStartTime() ->
> virFileReadAll("/proc/24609/stat"), which comes after the SO_PEERCRED call
> succeeds.
> 
> Indeed, `virt-admin -c virtlogd:///system` triggers the same AVC failure
> even when run as root, when SELinux is enforcing.
> 
> By contrast, virtlockd is running under a different context:
> 
> > system_u:system_r:virtlogd_t:s0-s0:c0.c1023 root 1186 0.0  0.5 346760 10816 ?  Ss   21:39   0:00 /usr/sbin/virtlogd
> > system_u:system_r:virtd_t:s0-s0:c0.c1023 root 1250 0.0  0.6 365444 11436 ?     Ss   21:41   0:00 /usr/sbin/virtlockd
> 
> It appears that virtd_t has no such restrictions, so
> virNetSocketGetUNIXIdentity() succeeds completely when a user runs
> `virt-admin -c virtlockd:///system`, and further dangerous commands can
> invoked from there.

Comment 7 Lukas Vrabec 2019-08-06 15:30:44 UTC
commit 42bef24fb6fc520a1338424fe3f57d3e116d673a (HEAD -> rhel7.8-contrib, origin/rhel7.8-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 25 12:44:52 2019 +0200

    Allow virtlockd process read virtlockd.conf file
    
    virtlockd process runs with virtlogd_t domain instead of vird_t domain,
    but virtlogd_t domain cannot acces virtlockd.conf files labeled as
    virt_etc_t. This commit fixes the issue
    Resolves: rhbz#1714896

Comment 16 errata-xmlrpc 2020-03-31 19:10:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1007