Bug 1758525
| Summary: | upstream qemu change that mmaps ELF files breaks with selinux rules | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christian Borntraeger <borntraeger> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 30 | CC: | berrange, borntraeger, dhildenb, dwalsh, lvrabec, mgrepl, pbonzini, plautrba, sgarzare, thuth, zpytela | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-52.fc30 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1758545 1758640 1758641 (view as bug list) | Environment: | ||
| Last Closed: | 2019-11-17 01:13:06 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1758545, 1758640 | |||
Adding Daniel and Paolo as this was discussed on libvirt and qemu mailing list https://lists.gnu.org/archive/html/qemu-devel/2019-10/msg01122.html https://www.redhat.com/archives/libvir-list/2019-October/msg00191.html The virt.te policy rules already include: allow svirt_t svirt_image_t:file map; allow svirt_t svirt_image_t:blk_file map; which handles disks/images we expose to QMEU with read-write permission. virt_content_t is used for disk/images we expose to QEMU with read-only permission, and I don't see a reason why we can't allow mmap for those too. IIUC, we're enforcing read-only-ness of the file separately from the map permission. So I think we probably want two additions: allow svirt_t virt_content_t:file map; allow svirt_t virt_content_t:blk_file map; I guess this is also broken for RHEL,RHV. So as soon as qemu >= 4.2 is part of RHV, we have the same problem there as well. Is there a process to cascade this into those distributions as well? commit 76616cf62cddda3c6ca0a9cd1b7820052b228854 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Fri Oct 4 17:36:42 2019 +0200
Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files
Resolves: rhbz#1758525
Any chance to also get this fix into Fedora 30 as a backport? (and of course 31) Christian, Yes it's backported to F31 and F30. https://github.com/fedora-selinux/selinux-policy-contrib/commit/8f719024b088c3e9b9f3f2697586ba1858981914 https://github.com/fedora-selinux/selinux-policy-contrib/commit/926dc71928159b50fd3faa19ae031c5647946cf4 (In reply to Lukas Vrabec from comment #6) > Christian, > Yes it's backported to F31 and F30. > > https://github.com/fedora-selinux/selinux-policy-contrib/commit/ > 8f719024b088c3e9b9f3f2697586ba1858981914 > > https://github.com/fedora-selinux/selinux-policy-contrib/commit/ > 926dc71928159b50fd3faa19ae031c5647946cf4 Thanks. How often are the binary packages rebuild? Currently the update is not yet available for users, e.g. https://dl.fedoraproject.org/pub/fedora-secondary/updates/30/Everything/s390x/Packages/s/ still has an se-policy version from September. FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8 selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8 FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Newer qemu git versions that contain commit 816b9fe450220e19acb91a0ce4a8ade7000648d1 (refs/bisect/bad) elf-ops.h: Map into memory the ELF to load crash when an elf file is used as os.kernel: 2019-10-04T12:00:32.675188Z qemu-system-s390x: GLib: g_mapped_file_unref: assertion 'file != NULL' failed strace tells that I can read the ELF file, but not mmap strace: 214365 openat(AT_FDCWD, "/var/lib/libvirt/images/test_cpu_timer.elf", O_RDONLY) 214365 read(46, "\177ELF\2\2\1\0\0\0\0\0\0\0\0\0", 16) = 16 214365 lseek(46, 0, SEEK_SET) = 0 [...] 214365 fstat(46, {st_mode=S_IFREG|0755, st_size=168176, ...}) = 0 214365 mmap(NULL, 168176, PROT_READ|PROT_WRITE, MAP_PRIVATE, 46, 0) = -1 EACCES (Permission denied) So reading from /var/lib/libvirt/images/test_cpu_timer.elf does work, mmaping does not. setenforce 0 makes the problem go away. audit2allow shows among others. allow svirt_t virt_content_t:file map;