Bug 2172267
Summary: | libvirt is unable to start passt process when SELinux is enforcing | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Laine Stump <laine> | |
Component: | libvirt | Assignee: | Laine Stump <laine> | |
libvirt sub component: | Networking | QA Contact: | yalzhang <yalzhang> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | medium | |||
Priority: | unspecified | CC: | dzheng, haizhao, jdenemar, lmen, pvlasin, sbrivio, virt-maint, yalzhang, ymankad | |
Version: | 9.2 | Keywords: | Triaged | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | libvirt-9.0.0-9.el9_2 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2172268 2179030 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-09 07:27:59 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 2172268 | |||
Bug Blocks: | 2179030 |
Description
Laine Stump
2023-02-21 19:15:18 UTC
Upstream series, apparently rejected, here: https://listman.redhat.com/archives/libvir-list/2023-February/238099.html A new upstream series based on email and IRC discussion of the original: https://listman.redhat.com/archives/libvir-list/2023-March/238571.html Just to reiterate from the BZ description - the full solution is three-tiered - it also requires small additions to the virt policies in the selinux-policy package (Bug 2172268 - upstream MR posted, waiting for review/push), and selinux policies in the passt package (Bug 2176813 - already pushed upstream). Fix pushed upstream as 4 patches: commit a53c1d6f842ba0f516bbacff8250ba0d7a10074a Author: Laine Stump <laine> Date: Wed Mar 1 11:34:24 2023 -0500 util: add an API to retrieve the resolved path to a virCommand's binary commit 60afe39576abc9b26f5f8c1dfed39bbc783fb78c Author: Laine Stump <laine> Date: Wed Mar 8 12:50:38 2023 -0500 commit 75056f61f12d6efec51f699f2b901f8d02cd075c Author: Laine Stump <laine> Date: Wed Mar 1 15:34:32 2023 -0500 security: make it possible to set SELinux label of child process from its binary commit 8419dd3b69cfada783a2e6df315e45dd294b0d18 Author: Laine Stump <laine> Date: Wed Mar 1 15:58:24 2023 -0500 qemu: set SELinux label of passt process to its own binary's label Patches backported to rhel-9.2.0 branch and MR sent: https://gitlab.com/redhat/rhel/src/libvirt/-/merge_requests/104 This upstream commit was also added: commit 50023cb5c64287786df12dbd1f7d2afc15b94a27 Author: Andrea Bolognani <abologna> Date: Tue Mar 14 10:41:46 2023 +0100 rpm: Recommend passt-selinux Test with root user and unpriviledged user, with selinux enabled, and below scenarios, the result is as expected. Packages: $ rpm -q libvirt passt selinux-policy libvirt-9.0.0-10.el9_2.x86_64 passt-0^20230222.g4ddbcb9-2.el9_2.x86_64 selinux-policy-38.1.11-2.el9_2.noarch Test scenarios: 1. Start vm with passt backend interface; 2. Hotplug a passt backend interface; 3. kill the passt process during vm is running to check the reconnect feature; 4. VM lifecycle test including save->restore, managedsave, suspend->resume, with the passt backend interface; For scenario 1, start vm with root user: # getenforce Enforcing # virsh dumpxml rhel --xpath //interface <interface type="user"> <mac address="52:54:00:4e:92:81"/> <source dev="eno1"/> <portForward proto="tcp"> <range start="6000"/> </portForward> <model type="virtio"/> <backend type="passt" logFile="/run/user/107/passt.log"/> <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> </interface> # virsh start rhel Domain 'rhel' started # ps aux -Z | grep usr/bin/passt | grep -v grep system_u:system_r:passt_t:s0:c445,c836 qemu 48709 0.0 0.0 76344 37264 ? Ss 05:59 0:00 /usr/bin/passt --one-off --socket /run/libvirt/qemu/passt/1-rhel-net0.socket --mac-addr 52:54:00:4e:92:81 --pid /run/libvirt/qemu/passt/1-rhel-net0-passt.pid --interface eno1 --log-file /run/user/107/passt.log --tcp-ports 6000 login vm to check the network function, and ip address, default route, nameserver, all results are as expected. With unpriviledged user: # machinectl shell test@ Connected to the local host. Press ^] three times within 1s to exit session. $ id uid=1000(test) gid=1000(test) groups=1000(test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ virsh dumpxml rhel --xpath //interface <interface type="user"> <mac address="52:54:00:4e:92:81"/> <source dev="eno1"/> <portForward proto="tcp"> <range start="6001"/> </portForward> <model type="virtio"/> <backend type="passt" logFile="/run/user/1000/passt.log"/> <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> </interface> $ virsh start rhel Domain 'rhel' started $ ps aux -Z | grep usr/bin/passt | grep -v grep unconfined_u:unconfined_r:passt_t:s0:c36,c900 test 49091 0.0 0.0 76348 38188 ? Ss 06:05 0:00 /usr/bin/passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/3-rhel-net0.socket --mac-addr 52:54:00:4e:92:81 --pid /run/user/1000/libvirt/qemu/run/passt/3-rhel-net0-passt.pid --interface eno1 --log-file /run/user/1000/passt.log --tcp-ports 6001 login vm and check the network function, all as expected. Destroy the vm, and check the passt process terminated, which is as expected. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libvirt bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2171 |