Bug 755535
Summary: | RFE: security: don't change owner/label unless it's needed for launching qemu (like for /dev/sr0) | ||
---|---|---|---|
Product: | [Community] Virtualization Tools | Reporter: | Ankur Sinha (FranciscoD) <sanjay.ankur> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | unspecified | CC: | abrt, autarch, berrange, borre2125, clalancette, cristian.ciupitu, crobinso, dave, dominick.grift, dougsland, dwalsh, ehabkost, firewalkergr, itamar, jforbes, laine, libvirt-maint, ralph.schmieder, req1348, roger, rtmetz92, s_gollmer, spetreolle, veillard, virt-maint |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:fa0344e188cf72546e973ddb607bbbb0c03178c7102362f48185e7ed9a77d33c | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-22 00:55:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ankur Sinha (FranciscoD)
2011-11-21 12:18:15 UTC
We have the following sesearch -A -s systemd_logind_t -c blk_file -p setattr --dontaudit Found 1 semantic av rules: allow systemd_logind_t removable_device_t : blk_file setattr ; But I am not sure what we should do here, since this /dev/sr0 is being used by a virtual machine. Should be fixed in the latest release. I got this alert today, has the new policy already been released ? I have done all the updates for fc16 stable. Could you add your output of $ rpm -q selinux-policy And also AVC msgs which you are getting. Here are my version info and AVC msgs: [syl@virt assembly]$ rpm -q selinux-policy selinux-policy-3.10.0-80.fc16.noarch Raw Audit Messages type=AVC msg=audit(1334439780.545:17200): avc: denied { setattr } for pid=6233 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1191 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file type=SYSCALL msg=audit(1334439780.545:17200): arch=x86_64 syscall=setxattr success=yes exit=0 a0=6623d0 a1=3828805d2b a2=664810 a3=24 items=0 ppid=1 pid=6233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null) We have dev_setattr_all_chr_files(systemd_logind_t) but this is used by a virtual machine I would dontaudit it. The real bug is that libvirt relabeled the device to virt_conten_t rather then its default label, which should be matchpathcon /dev/sr0 /dev/sr0 system_u:object_r:removable_device_t:s0 *** Bug 824137 has been marked as a duplicate of this bug. *** *** Bug 795100 has been marked as a duplicate of this bug. *** svirt guests are already allowed to read removable_device_t, right? So maybe the fix here is to not relabel devices we can already access. Not sure if that's considered insecure WRT svirt though, or if we can even determine the list of labels that we shouldn't need to change. Besides that the only solutions I can see are 1) starting to restore label on disks marked <readonly/>, telling any affected users that their shared images need to have <shareable/>, or 2) 'that's what happens when you use svirt and a shared system device, sorry' danpb any thoughts *** Bug 826299 has been marked as a duplicate of this bug. *** Yes I agree a readonly device is probably going to be shared so we should not be relabeling it. *** Bug 909590 has been marked as a duplicate of this bug. *** This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. *** Bug 871790 has been marked as a duplicate of this bug. *** Still not fixed, but this is basically a bigger problem that should be tracked upstream. *** Bug 1246247 has been marked as a duplicate of this bug. *** The proper fix IMO is for libvirt to not change the label for readonly disk images, if it's already labelled in such a way that we can already access it. I previously outlined on this upstream mailing list: https://www.redhat.com/archives/libvir-list/2015-April/msg01400.html Repurposing this bug to track that work *** Bug 842831 has been marked as a duplicate of this bug. *** Description of problem: Just inserted an CD ROM Version-Release number of selected component: selinux-policy-3.13.1-158.12.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-301.fc23.x86_64 type: libreport Is this fixed now? Can I close it? Yes I think it's as fixed as it is going to get. It has limitations in that it only restores labels/uid for read/write disk images, but I don't think libvirt will ever be providing more than that. This is the setting specified by remember_owner in /etc/libvirtd/qemu.conf, it is on by default |