Bug 2063871

Summary: AVC lldpad denied sendto scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket
Product: Red Hat Enterprise Linux 8 Reporter: Sandro Bonazzola <sbonazzo>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 8.6CC: amusil, bstinson, eraviv, gdeolive, jwboyer, lsurette, lvrabec, mburman, mmalik, mperina, msobczyk, srevivo, ssekidde, ycui, zpytela
Target Milestone: rcKeywords: AutomationBlocker, Triaged, ZStream
Target Release: 8.7   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-99.el8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 2082147 2095184 (view as bug list) Environment:
Last Closed: 2022-11-08 10:44:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2020997, 2082147, 2095184, 2111410    

Description Sandro Bonazzola 2022-03-14 14:42:38 UTC 
Description of problem:

On CentOS Stream 8 based oVirt Node:

type=AVC msg=audit(1647266624.393:922): avc:  denied  { sendto } for  pid=22657 comm="lldpad" path=002F636F6D2F696E74656C2F6C6C647061642F3232393931 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1647266757.171:105): avc:  denied  { sendto } for  pid=2295 comm="lldpad" path=002F636F6D2F696E74656C2F6C6C647061642F32373937 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_dgram_socket permissive=0


Version-Release number of selected component (if applicable):

# rpm -qa |grep selinux
selinux-policy-3.14.3-93.el8.noarch
selinux-policy-targeted-3.14.3-93.el8.noarch
ipa-selinux-4.9.8-2.module_el8.6.0+1054+cdb51b28.noarch
libselinux-utils-2.9-5.el8.x86_64
openvswitch-selinux-extra-policy-1.0-28.el8.noarch
glusterfs-selinux-2.0.1-1.el8s.noarch
rpm-plugin-selinux-4.14.3-22.el8.x86_64
libselinux-2.9-5.el8.x86_64
python3-libselinux-2.9-5.el8.x86_64

# rpm -qa |grep lldpad
lldpad-1.0.1-16.git036e314.el8.x86_64
Comment 1 Zdenek Pytela 2022-03-14 14:46:31 UTC 
Commit to backport:
commit d45bd1720adf4e9819e725082cf6925fa946e909
Author: Zdenek Pytela <zpytela>
Date:   Tue Aug 24 19:40:25 2021 +0200

    Allow lldpad send to unconfined_t over a unix dgram socket

A similar problem probably appears on RHEL 9.
Comment 3 Zdenek Pytela 2022-04-22 15:11:23 UTC 
Seems I overlooked the type actually is unconfined_service_t.

Sandro, do you know which service lldpad tries to communicate with?

ps -eo pid,ppid,fname,cmd,context | grep -e CONTEXT -e unconfined_service_t
Comment 14 Zdenek Pytela 2022-04-25 09:58:14 UTC 
I've submitted a Fedora draft PR to assign file context for both /usr/libexec/vdsm/supervdsmd and vdsmd:
https://github.com/fedora-selinux/selinux-policy/pull/1166
Comment 33 Martin Perina 2022-05-02 08:27:30 UTC 
OK, based on above findings moving the bug to RHV for further investigation
Comment 36 Martin Perina 2022-05-04 07:32:59 UTC 
Here are reproducing steps for the iscsi issue:

1. Have a RHV hypervisor with iscsi storage
2. Move to Maintanence
3. SSH to host and apply correct selinux rules:

  chcon -t virtd_exec_t /usr/libexec/vdsm/vdsmd_init_common.sh
  chcon -t virtd_exec_t /usr/libexec/vdsm/supervdsmd
  chcon -t virtd_exec_t /usr/libexec/vdsm/vdsmd
  chcon -t virtd_exec_t /usr/libexec/vdsm/daemonAdapter

4. Reboot host and wait to restart finished
5. Activate the host

-> after activation the host is switched to NonOperational, all iscsi storage domains report errors.


This needs to be solved before we can fix the rules in default selinux policy and ask for backport to RHEL 8.6.z
Comment 38 Ales Musil 2022-05-04 11:10:03 UTC 
Hi, 

after some investigation it seems that the iscsi was coincidence. Could you please
prepare the patch for selinux-context with following files having virtd_exec_t:
/usr/libexec/vdsm/vdsmd_init_common.sh
/usr/libexec/vdsm/supervdsmd
/usr/libexec/vdsm/vdsmd
/usr/libexec/vdsm/daemonAdapter

We will also need 8.6 backport. 

Thanks
Comment 39 Zdenek Pytela 2022-05-12 08:52:35 UTC 
(In reply to Ales Musil from comment #38)
> Hi, 
> 
> after some investigation it seems that the iscsi was coincidence. Could you
> please
> prepare the patch for selinux-context with following files having
> virtd_exec_t:
> /usr/libexec/vdsm/vdsmd_init_common.sh
> /usr/libexec/vdsm/supervdsmd
> /usr/libexec/vdsm/vdsmd
> /usr/libexec/vdsm/daemonAdapter
> 
> We will also need 8.6 backport. 
The fix is on the way and should be in the next build. For a backport, please follow z-stream workflow.
Comment 40 Zdenek Pytela 2022-05-13 16:20:53 UTC 
Additional commit to backport:
commit 8ec1a669d99b1b0a86dbf4ac151e3b0f2a778eb1 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Thu May 12 10:45:19 2022 +0200

    Label more vdsm utils with virtd_exec_t
Comment 60 errata-xmlrpc 2022-11-08 10:44:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691