Bug 1024075 - SELinux prevents virt-* tools from running when sssd is being used
Summary: SELinux prevents virt-* tools from running when sssd is being used
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:338e5cceb5235af1128299ac4f2...
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs
TreeView+ depends on / blocked
 
Reported: 2013-10-28 18:21 UTC by Jeff Bastian
Modified: 2013-12-06 20:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-06 20:24:04 UTC
Type: ---


Attachments (Terms of Use)

Description Jeff Bastian 2013-10-28 18:21:43 UTC
Description of problem:
I used the new virt-builder command to quickly create a virtual machine image:

~]$ virt-builder fedora-19 --size 5G
[   1.0] Downloading: http://libguestfs.org/download/builder/fedora-19.xz
[   2.0] Creating disk image: fedora-19.img
[   3.0] Uncompressing: http://libguestfs.org/download/builder/fedora-19.xz
...
SELinux is preventing /usr/bin/bash from 'read' accesses on the file /var/lib/sss/mc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-kvm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:svirt_t:s0:c260,c372
Target Context                system_u:object_r:sssd_public_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.2.45-4.fc20.x86_64
Target RPM Packages           sssd-common-1.11.1-5.fc20.x86_64
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.6-300.fc20.x86_64 #1 SMP Fri
                              Oct 18 22:31:53 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-10-28 13:12:08 CDT
Last Seen                     2013-10-28 13:12:08 CDT
Local ID                      7cf3bd7a-032d-48c8-b47c-7808cf12be8c

Raw Audit Messages
type=AVC msg=audit(1382983928.548:3314): avc:  denied  { read } for  pid=16410 comm="qemu-kvm" name="passwd" dev="dm-2" ino=6031555 scontext=unconfined_u:system_r:svirt_t:s0:c260,c372 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file


type=SYSCALL msg=audit(1382983928.548:3314): arch=x86_64 syscall=open success=no exit=EACCES a0=1d0b110 a1=80000 a2=7fff2d5ed574 a3=7fff2d5ed300 items=0 ppid=1 pid=16410 auid=12257 uid=12257 gid=12257 euid=12257 suid=12257 fsuid=12257 egid=12257 sgid=12257 fsgid=12257 ses=2 tty=(none) comm=qemu-kvm exe=/usr/bin/bash subj=unconfined_u:system_r:svirt_t:s0:c260,c372 key=(null)

Hash: qemu-kvm,svirt_t,sssd_public_t,file,read

Additional info:
reporter:       libreport-2.1.8
hashmarkername: setroubleshoot
kernel:         3.11.6-300.fc20.x86_64
type:           libreport

Comment 1 Richard W.M. Jones 2013-10-28 20:27:13 UTC
On my machine:

$ getenforce 
Enforcing

and virt-builder works.  However I don't use sssd, I don't think
(not even sure what it is).

I'm a bit confused why virt-builder (or bash?) needs access
to the password file.

By the way, the raw audit log indicates the problem is with
qemu-kvm, not bash.  Does the following command also have the
same SELinux AVC:

  libguestfs-test-tool

Comment 2 Jeff Bastian 2013-10-28 21:05:40 UTC
sssd is an authentication daemon that can talk to LDAP, Kerberos, Active Directory, etc. and it provides nice features like credential caching so you can login to your system with your LDAP/Kerberos credentials even when the laptop is not connected to the corporate network.  So anything auth related will go through sssd on a system that uses it, e.g., login, screen savers and lockers, sudo, polkit, etc.

Indeed, libguestfs-test-tool gets the same AVC, although the command appears to finish running successfully:

~]$ date
Mon Oct 28 15:54:20 CDT 2013

~]$ libguestfs-test-tool
...
libguestfs: command: run: rm
libguestfs: command: run: \ -rf /tmp/libguestfsxfky0R
===== TEST FINISHED OK =====

~]$ sudo ausearch -ts recent -m avc
----
time->Mon Oct 28 15:54:30 2013
type=SYSCALL msg=audit(1382993670.394:4813): arch=c000003e syscall=2 success=no exit=-13 a0=1d64110 a1=80000 a2=7ffffed9e544 a3=7ffffed9e2d0 items=0 ppid=1 pid=31535 auid=12257 uid=12257 gid=12257 euid=12257 suid=12257 fsuid=12257 egid=12257 sgid=12257 fsgid=12257 ses=2 tty=(none) comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:system_r:svirt_t:s0:c354,c928 key=(null)
type=AVC msg=audit(1382993670.394:4813): avc:  denied  { read } for  pid=31535 comm="qemu-kvm" name="passwd" dev="dm-2" ino=6031555 scontext=unconfined_u:system_r:svirt_t:s0:c354,c928 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file

Comment 3 Daniel Walsh 2013-10-28 21:13:02 UTC
We can probably add a dontaudit rule, since we don't want svirt_t to be able to dump the password database.

Comment 4 Jeff Bastian 2013-10-28 21:13:51 UTC
I ran in Permissive mode to see if anything else might be blocked and it appears it's just the usual suspects for reading a file: getattr, open and read.

~]$ sudo setenforce 0
~]$ libguestfs-test-tool
...
~]$ sudo ausearch -ts recent -m avc
----
time->Mon Oct 28 16:08:52 2013
type=SYSCALL msg=audit(1382994532.937:4960): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff3e819be0 a2=7fff3e819be0 a3=7fff3e819990 items=0 ppid=1 pid=566 auid=12257 uid=12257 gid=12257 euid=12257 suid=12257 fsuid=12257 egid=12257 sgid=12257 fsgid=12257 ses=2 tty=(none) comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:system_r:svirt_t:s0:c505,c631 key=(null)
type=AVC msg=audit(1382994532.937:4960): avc:  denied  { getattr } for  pid=566 comm="qemu-kvm" path="/var/lib/sss/mc/passwd" dev="dm-2" ino=6031555 scontext=unconfined_u:system_r:svirt_t:s0:c505,c631 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
----
time->Mon Oct 28 16:08:52 2013
type=SYSCALL msg=audit(1382994532.937:4959): arch=c000003e syscall=2 success=yes exit=3 a0=10a3110 a1=80000 a2=7fff3e819bd4 a3=7fff3e819960 items=0 ppid=1 pid=566 auid=12257 uid=12257 gid=12257 euid=12257 suid=12257 fsuid=12257 egid=12257 sgid=12257 fsgid=12257 ses=2 tty=(none) comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:system_r:svirt_t:s0:c505,c631 key=(null)
type=AVC msg=audit(1382994532.937:4959): avc:  denied  { open } for  pid=566 comm="qemu-kvm" path="/var/lib/sss/mc/passwd" dev="dm-2" ino=6031555 scontext=unconfined_u:system_r:svirt_t:s0:c505,c631 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
type=AVC msg=audit(1382994532.937:4959): avc:  denied  { read } for  pid=566 comm="qemu-kvm" name="passwd" dev="dm-2" ino=6031555 scontext=unconfined_u:system_r:svirt_t:s0:c505,c631 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file


And audit2allow confirms it:

~]$ cd /tmp
tmp]$ sudo audit2allow -b -M libguestfs
tmp]$ cat libguestfs.te

module libguestfs 1.0;

require {
        type svirt_t;
        type sssd_public_t;
        class file { read getattr open };
}

#============= svirt_t ==============
allow svirt_t sssd_public_t:file { read getattr open };




Or, using the reference policy:

tmp]$ sudo audit2allow -b -R -M libguestfs
tmp]$ cat libguestfs.te

policy_module(libguestfs, 1.0)

require {
        type svirt_t;
}

#============= svirt_t ==============
auth_use_nsswitch(svirt_t)

Comment 5 Daniel Walsh 2013-10-28 21:16:37 UTC
We currently block write, so I guess we should block read also.

481529a433ae112e044cd8db93b4d2b240e62366 fixes this in git.

Comment 6 Daniel Walsh 2013-10-28 21:19:02 UTC
bc266def17512628a346c9dc12c125456c1deeec also needed.

Comment 7 Richard W.M. Jones 2013-10-28 22:09:42 UTC
I'll just say that libguestfs calls getgrnam ("qemu") in order
to find out what group to chown a file to:

https://github.com/libguestfs/libguestfs/blob/276cde033c454e084e38c36af693c3fcad86281f/src/launch-libvirt.c#L369

I don't understand the AVC at all however:

comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:system_r:svirt_t[...]

The process is qemu-kvm running in svirt_t.  That part makes sense.
So why is exe bash?

Comment 8 Jeff Bastian 2013-10-31 19:51:09 UTC
(In reply to Richard W.M. Jones from comment #1)
> I'm a bit confused why virt-builder (or bash?) needs access
> to the password file.


I used SystemTap to print a backtrace on every audit event:
https://sourceware.org/systemtap/examples/process/auditbt.stp

And this is what I see when I run libguestfs-test-tool (in another shell):

$ sudo stap auditbt.stp -d /usr/lib64/libc-2.18.so \
         -d /usr/lib64/libaudit.so.1.0.0 -d /usr/lib64/libpam.so.0.83.1 \
         -d /usr/lib64/libnss_sss.so.2 -d /usr/lib64/security/pam_loginuid.so \
         -d /usr/bin/bash -d /usr/bin/libguestfs-test-tool 
qemu-kvm[18111] audit(1383248797.470:1271): avc:  denied  { read } for  pid=18111 comm="qemu-kvm" name="passwd" dev="dm-2" ino=6031690 scontext=unconfined_u:system_r:svirt_t:s0:c111,c455 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
 0x7f2790506640 : __open_nocancel+0x7/0x57 [/usr/lib64/libc-2.18.so]
 0x7f279000f3f2 : sss_open_cloexec+0x32/0x60 [/usr/lib64/libnss_sss.so.2]
 0x7f279000f01c : sss_nss_mc_get_ctx+0xdc/0x2a0 [/usr/lib64/libnss_sss.so.2]
 0x7f279000f859 : sss_nss_mc_getpwuid+0x49/0x160 [/usr/lib64/libnss_sss.so.2]
 0x7f279000d226 : _nss_sss_getpwuid_r+0x66/0x180 [/usr/lib64/libnss_sss.so.2]
 0x7f27904dbe0c : getpwuid_r@@GLIBC_2.2.5+0xdc/0x280 [/usr/lib64/libc-2.18.so]
 0x7f27904db6a6 : getpwuid+0x76/0x13e [/usr/lib64/libc-2.18.so]
 0x41db71 : get_current_user_info+0x21/0x160 [/usr/bin/bash]
 0x43a5c5 : initialize_shell_variables+0xb55/0xbb0 [/usr/bin/bash]
 0x41dd37 : shell_initialize+0x87/0x1a0 [/usr/bin/bash]
 0x41c433 : main+0x7f3/0x16d4 [/usr/bin/bash]
 0x7f2790441d65 : __libc_start_main+0xf5/0x1c0 [/usr/lib64/libc-2.18.so]
 0x41d33d : _start+0x29/0x2c [/usr/bin/bash]
qemu-kvm[18111] audit(1383248797.470:1271): arch=c000003e syscall=2 success=no exit=-13 a0=cc7110 a1=80000 a2=7fffd98f86b4 a3=7fffd98f8440 items=0 ppid=1 pid=18111 auid=12257 uid=12257 gid=12257 euid=12257 suid=12257 fsuid=12257 egid=12257 sgid=12257 fsgid=12257 ses=1 tty=(none) comm="qemu-kvm" exe="/usr/bin/bash" subj=unconfined_u:system_r:svirt_t:s0:c111,c455 key=(null)
 0x7f2790506640 : __open_nocancel+0x7/0x57 [/usr/lib64/libc-2.18.so]
 0x7f279000f3f2 : sss_open_cloexec+0x32/0x60 [/usr/lib64/libnss_sss.so.2]
 0x7f279000f01c : sss_nss_mc_get_ctx+0xdc/0x2a0 [/usr/lib64/libnss_sss.so.2]
 0x7f279000f859 : sss_nss_mc_getpwuid+0x49/0x160 [/usr/lib64/libnss_sss.so.2]
 0x7f279000d226 : _nss_sss_getpwuid_r+0x66/0x180 [/usr/lib64/libnss_sss.so.2]
 0x7f27904dbe0c : getpwuid_r@@GLIBC_2.2.5+0xdc/0x280 [/usr/lib64/libc-2.18.so]
 0x7f27904db6a6 : getpwuid+0x76/0x13e [/usr/lib64/libc-2.18.so]
 0x41db71 : get_current_user_info+0x21/0x160 [/usr/bin/bash]
 0x43a5c5 : initialize_shell_variables+0xb55/0xbb0 [/usr/bin/bash]
 0x41dd37 : shell_initialize+0x87/0x1a0 [/usr/bin/bash]
 0x41c433 : main+0x7f3/0x16d4 [/usr/bin/bash]
 0x7f2790441d65 : __libc_start_main+0xf5/0x1c0 [/usr/lib64/libc-2.18.so]
 0x41d33d : _start+0x29/0x2c [/usr/bin/bash]
qemu-kvm[18111] audit(1383248797.470:1271): 
 0x7f2790506640 : __open_nocancel+0x7/0x57 [/usr/lib64/libc-2.18.so]
 0x7f279000f3f2 : sss_open_cloexec+0x32/0x60 [/usr/lib64/libnss_sss.so.2]
 0x7f279000f01c : sss_nss_mc_get_ctx+0xdc/0x2a0 [/usr/lib64/libnss_sss.so.2]
 0x7f279000f859 : sss_nss_mc_getpwuid+0x49/0x160 [/usr/lib64/libnss_sss.so.2]
 0x7f279000d226 : _nss_sss_getpwuid_r+0x66/0x180 [/usr/lib64/libnss_sss.so.2]
 0x7f27904dbe0c : getpwuid_r@@GLIBC_2.2.5+0xdc/0x280 [/usr/lib64/libc-2.18.so]
 0x7f27904db6a6 : getpwuid+0x76/0x13e [/usr/lib64/libc-2.18.so]
 0x41db71 : get_current_user_info+0x21/0x160 [/usr/bin/bash]
 0x43a5c5 : initialize_shell_variables+0xb55/0xbb0 [/usr/bin/bash]
 0x41dd37 : shell_initialize+0x87/0x1a0 [/usr/bin/bash]
 0x41c433 : main+0x7f3/0x16d4 [/usr/bin/bash]
 0x7f2790441d65 : __libc_start_main+0xf5/0x1c0 [/usr/lib64/libc-2.18.so]
 0x41d33d : _start+0x29/0x2c [/usr/bin/bash]

Comment 9 Mateusz Marzantowicz 2013-11-12 11:38:06 UTC
This bug also occurs when running virt-ls command but it doesn't show up when doing virt-cat.

I confirm that I use sssd (as part of FreeIPA client installation) on that machine.

Below is more info about this problem:

Additional Information:
Source Context                unconfined_u:system_r:svirt_t:s0:c542,c910
Target Context                system_u:object_r:sssd_public_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/bash
Port                          <Nieznane>
Host                          hive.local
Source RPM Packages           bash-4.2.45-4.fc20.x86_64
Target RPM Packages           sssd-common-1.11.2-1.fc20.x86_64
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hive.local
Platform                      Linux hive.local 3.11.7-300.fc20.x86_64 #1
                              SMP Mon Nov 4 15:07:39 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-12 11:38:48 CET
Last Seen                     2013-11-12 11:38:48 CET
Local ID                      330270f8-c017-411c-882e-46bcbcc8819d

Raw Audit Messages
type=AVC msg=audit(1384252728.489:722): avc:  denied  { read } for  pid=518 comm="qemu-kvm" name="passwd" dev="dm-4" ino=1180023 scontext=unconfined_u:system_r:svirt_t:s0:c542,c910 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file


type=SYSCALL msg=audit(1384252728.489:722): arch=x86_64 syscall=open success=no exit=EACCES a0=b62160 a1=80000 a2=7fff36947df4 a3=7fff36947b80 items=0 ppid=1 pid=518 auid=1593800001 uid=1593800001 gid=1593800001 euid=1593800001 suid=1593800001 fsuid=1593800001 egid=1593800001 sgid=1593800001 fsgid=1593800001 ses=15 tty=(none) comm=qemu-kvm exe=/usr/bin/bash subj=unconfined_u:system_r:svirt_t:s0:c542,c910 key=(null)

Hash: qemu-kvm,svirt_t,sssd_public_t,file,read

Comment 10 Mateusz Marzantowicz 2013-11-12 11:45:36 UTC
It also occurs with virt-cat. I apologize for invalid info on previous post.

Comment 11 Richard W.M. Jones 2013-11-12 12:32:31 UTC
(In reply to Daniel Walsh from comment #5)
> We currently block write, so I guess we should block read also.
> 
> 481529a433ae112e044cd8db93b4d2b240e62366 fixes this in git.

Which git repo does this refer to?  I can't understand the
selinux-policy spec file at all.  Is there no upstream source?

Comment 12 Jeff Bastian 2013-11-12 14:26:28 UTC
(In reply to Richard W.M. Jones from comment #11)
> Which git repo does this refer to?  I can't understand the
> selinux-policy spec file at all.  Is there no upstream source?


https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?id=481529a433ae112e044cd8db93b4d2b240e62366

Comment 13 Richard W.M. Jones 2013-11-12 15:32:28 UTC
(In reply to Mateusz Marzantowicz from comment #10)
> It also occurs with virt-cat. I apologize for invalid info on previous post.

Based on my reading of the source in Fedora & Jeff's
comment 12, I believe this issue should be fixed now.
However you will need to ensure you have
selinux-policy >= 3.12.1-100.fc20

If this issue happens and you have selinux-policy greater
than or equal to that version installed, then let us know
on this bug report.

Comment 14 Mateusz Marzantowicz 2013-11-12 16:27:39 UTC
$ rpm -qa selinux-policy*
selinux-policy-targeted-3.12.1-100.fc20.noarch
selinux-policy-3.12.1-100.fc20.noarch

Files system was relabeled.

The bus still exists (virt-ls and virt-cat).

Additional Information:
Source Context                unconfined_u:system_r:svirt_t:s0:c234,c620
Target Context                system_u:object_r:sssd_public_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        qemu-kvm
Source Path                   /usr/bin/bash
Port                          <Nieznane>
Host                          hive.local
Source RPM Packages           bash-4.2.45-4.fc20.x86_64
Target RPM Packages           sssd-common-1.11.2-1.fc20.x86_64
Policy RPM                    selinux-policy-3.12.1-100.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hive.local
Platform                      Linux hive.local 3.11.7-300.fc20.x86_64 #1
                              SMP Mon Nov 4 15:07:39 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-11-12 17:21:11 CET
Last Seen                     2013-11-12 17:21:11 CET
Local ID                      6c5fc00c-d36a-4056-a497-cd94533a1e72

Raw Audit Messages
type=AVC msg=audit(1384273271.853:132): avc:  denied  { read } for  pid=2888 comm="qemu-kvm" name="passwd" dev="dm-4" ino=1180023 scontext=unconfined_u:system_r:svirt_t:s0:c234,c620 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file


type=SYSCALL msg=audit(1384273271.853:132): arch=x86_64 syscall=open success=no exit=EACCES a0=15f6160 a1=80000 a2=7fff83122904 a3=7fff83122690 items=0 ppid=1 pid=2888 auid=1593800001 uid=1593800001 gid=1593800001 euid=1593800001 suid=1593800001 fsuid=1593800001 egid=1593800001 sgid=1593800001 fsgid=1593800001 ses=1 tty=(none) comm=qemu-kvm exe=/usr/bin/bash subj=unconfined_u:system_r:svirt_t:s0:c234,c620 key=(null)

Hash: qemu-kvm,svirt_t,sssd_public_t,file,read

Comment 15 Mateusz Marzantowicz 2013-11-12 16:32:29 UTC
BTW, I can run virt-* commands successfully. selinux alert pops out but I get requested result from that commands (it's just in reference to bug's title).

Comment 16 Richard W.M. Jones 2013-11-12 17:49:41 UTC
(In reply to Mateusz Marzantowicz from comment #15)
> BTW, I can run virt-* commands successfully. selinux alert pops out but I
> get requested result from that commands (it's just in reference to bug's
> title).

TBH I'm not sure if this is correct behaviour or not.  I suspect
not because AIUI the purpose of the dontaudit rule is that SELinux
ignores (but fails) the access.  Dan/Jeff care to comment on this?

Comment 17 Daniel Walsh 2013-11-12 18:46:32 UTC
df08dde51666efaf40adc05bf540e2369540e297 adds a dontaudit for this in git.


Note You need to log in before you can comment on or make changes to this bug.