Bug 755535

Summary: RFE: security: don't change owner/label unless it's needed for launching qemu (like for /dev/sr0)
Product: [Community] Virtualization Tools Reporter: Ankur Sinha (FranciscoD) <sanjay.ankur>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: abrt, autarch, berrange, borre2125, clalancette, cristian.ciupitu, crobinso, dave, dominick.grift, dougsland, dwalsh, ehabkost, firewalkergr, itamar, jforbes, laine, libvirt-maint, ralph.schmieder, req1348, roger, rtmetz92, s_gollmer, spetreolle, veillard, virt-maint
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:fa0344e188cf72546e973ddb607bbbb0c03178c7102362f48185e7ed9a77d33c
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-22 00:55:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ankur Sinha (FranciscoD) 2011-11-21 12:18:15 UTC 
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.1-2.fc16.x86_64
reason:         SELinux is preventing /lib/systemd/systemd-logind from 'setattr' accesses on the blk_file sr0.
time:           Mon Nov 21 17:47:57 2011

description:
:SELinux is preventing /lib/systemd/systemd-logind from 'setattr' accesses on the blk_file sr0.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemd-logind should be allowed setattr access on the sr0 blk_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:systemd_logind_t:s0
:Target Context                system_u:object_r:virt_content_t:s0
:Target Objects                sr0 [ blk_file ]
:Source                        systemd-logind
:Source Path                   /lib/systemd/systemd-logind
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           systemd-37-3.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-55.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.1-2.fc16.x86_64 #1 SMP Mon Nov
:                              14 15:46:10 UTC 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Sun 20 Nov 2011 23:31:06 IST
:Last Seen                     Sun 20 Nov 2011 23:31:28 IST
:Local ID                      c6520185-4c09-4717-9d0f-0f97a0a03b58
:
:Raw Audit Messages
:type=AVC msg=audit(1321812088.936:518): avc:  denied  { setattr } for  pid=1035 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1144 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file
:
:
:type=SYSCALL msg=audit(1321812088.936:518): arch=x86_64 syscall=setxattr success=yes exit=0 a0=b57b40 a1=3c1b005d2b a2=b58340 a3=2c items=0 ppid=1 pid=1035 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
:
:Hash: systemd-logind,systemd_logind_t,virt_content_t,blk_file,setattr
:
:audit2allow
:
:#============= systemd_logind_t ==============
:allow systemd_logind_t virt_content_t:blk_file setattr;
:
:audit2allow -R
:
:#============= systemd_logind_t ==============
:allow systemd_logind_t virt_content_t:blk_file setattr;
:
Comment 1 Daniel Walsh 2011-11-23 14:56:06 UTC 
We have the following

sesearch -A -s systemd_logind_t -c blk_file -p setattr --dontaudit
Found 1 semantic av rules:
   allow systemd_logind_t removable_device_t : blk_file setattr ; 


But I am not sure what we should do here, since this /dev/sr0 is being used by a virtual machine.
Comment 2 Miroslav Grepl 2012-03-15 13:56:14 UTC 
Should be fixed in the latest release.
Comment 3 Sylvain Petreolle 2012-04-15 21:04:10 UTC 
I got this alert today, has the new policy already been released ?
I have done all the updates for fc16 stable.
Comment 4 Miroslav Grepl 2012-04-16 09:50:23 UTC 
Could you add your output of

$ rpm -q selinux-policy
Comment 5 Miroslav Grepl 2012-04-16 09:50:56 UTC 
And also AVC msgs which you are getting.
Comment 6 Sylvain Petreolle 2012-04-16 15:12:27 UTC 
Here are my version info and AVC msgs:

[syl@virt assembly]$ rpm -q selinux-policy
selinux-policy-3.10.0-80.fc16.noarch

Raw Audit Messages
type=AVC msg=audit(1334439780.545:17200): avc:  denied  { setattr } for  pid=6233 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1191 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file


type=SYSCALL msg=audit(1334439780.545:17200): arch=x86_64 syscall=setxattr success=yes exit=0 a0=6623d0 a1=3828805d2b a2=664810 a3=24 items=0 ppid=1 pid=6233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Comment 7 Miroslav Grepl 2012-04-17 09:00:29 UTC 
We have 

dev_setattr_all_chr_files(systemd_logind_t)

but this is used by a virtual machine I would dontaudit it.
Comment 8 Daniel Walsh 2012-04-17 20:59:21 UTC 
The real bug is that libvirt relabeled the device to virt_conten_t rather then its default label, which should be 

matchpathcon /dev/sr0
/dev/sr0	system_u:object_r:removable_device_t:s0
Comment 9 Cole Robinson 2012-06-07 20:31:25 UTC 
*** Bug 824137 has been marked as a duplicate of this bug. ***
Comment 10 Cole Robinson 2012-06-07 20:36:17 UTC 
*** Bug 795100 has been marked as a duplicate of this bug. ***
Comment 11 Cole Robinson 2012-10-20 22:30:19 UTC 
svirt guests are already allowed to read removable_device_t, right? So maybe the fix here is to not relabel devices we can already access. Not sure if that's considered insecure WRT svirt though, or if we can even determine the list of labels that we shouldn't need to change.

Besides that the only solutions I can see are 1) starting to restore label on disks marked <readonly/>, telling any affected users that their shared images need to have <shareable/>, or 2) 'that's what happens when you use svirt and a shared system device, sorry'

danpb any thoughts
Comment 12 Cole Robinson 2012-10-21 21:07:31 UTC 
*** Bug 826299 has been marked as a duplicate of this bug. ***
Comment 13 Daniel Walsh 2012-10-24 19:57:54 UTC 
Yes I agree a readonly device is probably going to be shared so we should not be relabeling it.
Comment 14 Miroslav Grepl 2013-02-11 12:31:30 UTC 
*** Bug 909590 has been marked as a duplicate of this bug. ***
Comment 15 Fedora End Of Life 2013-07-03 23:44:17 UTC 
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 16 Cole Robinson 2013-07-11 18:16:52 UTC 
*** Bug 871790 has been marked as a duplicate of this bug. ***
Comment 17 Cole Robinson 2013-07-11 18:24:21 UTC 
Still not fixed, but this is basically a bigger problem that should be tracked upstream.
Comment 18 Cole Robinson 2016-04-14 20:04:50 UTC 
*** Bug 1246247 has been marked as a duplicate of this bug. ***
Comment 19 Cole Robinson 2016-04-14 20:08:17 UTC 
The proper fix IMO is for libvirt to not change the label for readonly disk images, if it's already labelled in such a way that we can already access it. I previously outlined on this upstream mailing list:

https://www.redhat.com/archives/libvir-list/2015-April/msg01400.html

Repurposing this bug to track that work
Comment 20 Cole Robinson 2016-04-14 20:09:13 UTC 
*** Bug 842831 has been marked as a duplicate of this bug. ***
Comment 21 Kapoios Kanenas 2016-04-17 14:37:26 UTC 
Description of problem:
Just inserted an CD ROM

Version-Release number of selected component:
selinux-policy-3.13.1-158.12.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.6-301.fc23.x86_64
type:           libreport
Comment 22 Ankur Sinha (FranciscoD) 2019-11-21 22:14:23 UTC 
Is this fixed now? Can I close it?
Comment 23 Cole Robinson 2019-11-22 00:55:36 UTC 
Yes I think it's as fixed as it is going to get. It has limitations in that it only restores labels/uid for read/write disk images, but I don't think libvirt will ever be providing more than that. This is the setting specified by remember_owner in /etc/libvirtd/qemu.conf, it is on by default