Bug 2101575

Summary: libvirt: SELinux labels are not set on UNIX sockets
Product: Red Hat Enterprise Linux 8 Reporter: david
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: yafu <yafu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: cweather, dzheng, gveitmic, haizhao, jdenemar, jsuchane, lmen, mprivozn, virt-maint, xuzhang, yafu
Target Milestone: rcKeywords: Triaged, Upstream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-8.0.0-10.module+el8.7.0+16047+746a126c Doc Type: Bug Fix
Doc Text:
Cause: When starting up a guest, libvirt did not set SELinux label on UNIX sockets, but relied on SELinux itself to use the default label. Consequence: This works for as long as users don't want to use a different, non-default label. But as soon as they use a non-default label, libvit won't set it on the UNIX socket leaving other processes unable to connect to the socket. Fix: Libvirt was changed so that it sets the label. Result: Other processes can now connect to QEMU happily.
 Story Points: ---
Clone Of:
: 2127409 (view as bug list) Environment:
Last Closed: 2022-11-08 09:20:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2127409    

Description david 2022-06-27 20:59:54 UTC 
Description of problem:
When customizing labels, UNIX sockets with mode="bind" (such as for the guest agent) do not get relabeled as defined.

Version-Release number of selected component (if applicable):
8.0.0-5

How reproducible:
Always

Steps to Reproduce:
1. Make up a socket device source in the VM XML:
<source mode="bind" path="/tmp/test.sock">
 <seclabel model="selinux" relabel="yes">
  <label>system_u:system_r:custom_t:s0:c1</label>
 </seclabel>
</source>

Actual results:
The socket will be tmp_t:SystemLow.

Expected results:
The label should be set as defined.

Additional info:
The SELinux labeling code ignores sockets with mode="bind", while other models (DAC) are able to work with it.  I sent a fix upstream here:

https://gitlab.com/libvirt/libvirt/-/merge_requests/168

Can the fix be applied to RHEL 8 when approved?
Comment 1 Jaroslav Suchanek 2022-06-30 19:31:54 UTC 
(In reply to david from comment #0)
> 
> Additional info:
> The SELinux labeling code ignores sockets with mode="bind", while other
> models (DAC) are able to work with it.  I sent a fix upstream here:
> 

Great! Thank you.

> https://gitlab.com/libvirt/libvirt/-/merge_requests/168
> 
> Can the fix be applied to RHEL 8 when approved?

Certainly. Can you please elaborate why you need that for RHEL-8? If you are an existing customer going through the customer service is a preferable way.

Thanks.
.
Comment 2 david 2022-07-01 11:28:47 UTC 
I will try to get the customer's account to submit a customer service request for it.  This bug can be closed if it will be handled there.
Comment 3 Michal Privoznik 2022-07-01 13:28:59 UTC 
Merged upstream:

commit 9f13f54a6348b54170f7de3595039c99b9da72c7
Author:     David Michael <david>
AuthorDate: Tue Jun 28 08:33:41 2022 -0400
Commit:     Michal Prívozník <mprivozn>
CommitDate: Fri Jul 1 14:51:19 2022 +0200

    security_selinux.c: Relabel existing mode="bind" UNIX sockets
    
    This supports sockets created by libvirt and passed by FD using the
    same method as in security_dac.c.
    
    Signed-off-by: David Michael <david>
    Signed-off-by: Michal Privoznik <mprivozn>
    Reviewed-by: Michal Privoznik <mprivozn>

v8.5.0-13-g9f13f54a63
Comment 4 cweather 2022-07-05 17:19:26 UTC 
Attached bug to case 03259483.
Comment 17 yafu 2022-08-01 03:02:48 UTC 
Verified with libvirt-daemon-8.0.0-10.module+el8.7.0+16047+746a126c.x86_64.

Test steps:
1.Define a guest with 'bind' unix socket device:
#virsh edit avocado-vt-vm1
<domain>
...
<devices>
   ...
   <serial type='unix'>
      <source mode='bind' path='/tmp/test1.sock'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:svirt_image_t:s0</label>
        </seclabel>
        <seclabel model='dac' relabel='yes'>
          <label>test:test</label>
        </seclabel>
      </source>
      <target type='isa-serial' port='1'>
        <model name='isa-serial'/>
      </target>
    </serial>
   ...
   <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/vm1.agent'>
        <seclabel model='selinux' relabel='yes'>
          <label>system_u:object_r:admin_home_t:s0</label>
        </seclabel>
      </source>
      <target type='virtio' name='org.qemu.guest_agent.1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
...
<devices>
...
</domain>

2.Start the guest:
#virsh start avocadov-vt-vm1
Domain 'avocado-vt-vm1' started

3.Check the lable of the unix sockets, both dac and selinux lable are set as defined in the guest xml:
# ll -Z /tmp/test1.sock 
srwxrwxr-x. 1 test test system_u:object_r:svirt_image_t:s0 0 Jul 31 22:56 /tmp/test1.sock

# ll -Z /var/lib/libvirt/qemu/vm1.agent 
srwxrwxr-x. 1 qemu qemu system_u:object_r:admin_home_t:s0 0 Jul 31 22:56 /var/lib/libvirt/qemu/vm1.agent
Comment 18 yafu 2022-08-01 03:05:10 UTC 
Move the bug to VERIFIED according to comment #10, comment #13 and comment #17.
Comment 20 errata-xmlrpc 2022-11-08 09:20:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7472