Bug 1024469 - Badly formated selinux policy file causes libvirtd to segfault
Badly formated selinux policy file causes libvirtd to segfault
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Libvirt Maintainers
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-29 13:41 EDT by Daniel Walsh
Modified: 2013-12-04 11:30 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-04 11:30:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2013-10-29 13:41:13 EDT
Basically if I add 

/etc/selinux/targeted/contexts/lxc_contexts
lxc=system_u:system_r:svirt_lxc_net_t:s0
qemu=system_u:system_r:svirt_qemu_net_t:s0
kvm=system_u:system_r:svirt_qemu_net_t:s0
process=system_u:system_r:svirt_lxc_net_t:s0
file=system_u:object_r:svirt_sandbox_file_t:s0
content=system_u:object_r:virt_var_lib_t:s0

libvirt crashes.

Adding in '"' fixes the problem.

 cat /etc/selinux/targeted/contexts/lxc_contexts
lxc=system_u:system_r:svirt_lxc_net_t:s0
qemu="system_u:system_r:svirt_qemu_net_t:s0"
kvm="system_u:system_r:svirt_qemu_net_t:s0"
process="system_u:system_r:svirt_lxc_net_t:s0"
file="system_u:object_r:svirt_sandbox_file_t:s0"
content="system_u:object_r:virt_var_lib_t:s0"

Debugging looks like libvirtd was reporting that it could not open the file without the "s
Comment 1 Daniel Walsh 2013-10-29 13:42:47 EDT
2013-10-29 17:41:27.564+0000: 3490: info : lxcSecurityInit:1342 : lxcSecurityInit (null)
2013-10-29 17:41:27.564+0000: 3490: debug : virSecurityDriverLookup:58 : name=(null)
2013-10-29 17:41:27.564+0000: 3490: debug : virSecurityDriverLookup:69 : Probed name=selinux
2013-10-29 17:41:27.564+0000: 3490: debug : virSecurityManagerNewDriver:81 : drv=0x7fdcdfadfa80 (selinux) virtDriver=LXC allowDiskFormatProbing=0 defaultConfined=0 requireConfined=0
2013-10-29 17:41:27.564+0000: 3490: debug : virObjectNew:199 : OBJECT_NEW: obj=0x7fdcc01972a0 classname=virSecurityManagerClass
2013-10-29 17:41:27.564+0000: 3490: debug : virSecuritySELinuxInitialize:563 : SELinuxInitialize LXC
2013-10-29 17:41:27.565+0000: 3490: debug : virConfReadFile:748 : filename=/etc/selinux/targeted/contexts/lxc_contexts
2013-10-29 17:41:27.565+0000: 3490: debug : virFileClose:90 : Closed fd 20
2013-10-29 17:41:27.565+0000: 3490: error : virConfParseValue:524 : configuration file syntax error: /etc/selinux/targeted/contexts/lxc_contexts:1: expecting a value
2013-10-29 17:41:27.565+0000: 3490: error : virSecuritySELinuxLXCInitialize:421 : cannot open SELinux lxc contexts file '/etc/selinux/targeted/contexts/lxc_contexts': No such file or directory
2013-10-29 17:41:27.566+0000: 3490: debug : virObjectUnref:256 : OBJECT_UNREF: obj=0x7fdcc01972a0
2013-10-29 17:41:27.566+0000: 3490: debug : virObjectUnref:258 : OBJECT_DISPOSE: obj=0x7fdcc01972a0


     ====== end of log =====

Aborted (core dumped)
Comment 2 Daniel Walsh 2013-10-29 13:43:09 EDT
#0  0x00007f68e67f2199 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f68e67f38a8 in __GI_abort () at abort.c:89
#2  0x00007f68e6833d84 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f68e693f2f8 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f68e683b794 in malloc_printerr (ptr=<optimized out>, str=0x7f68e693b492 "free(): invalid pointer", action=3) at malloc.c:4956
#4  _int_free (av=0x7f68e6b7c760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3788
#5  0x00007f68e71b20c7 in selabel_close () from /lib64/libselinux.so.1
#6  0x00007f68e9eb4967 in virSecuritySELinuxSecurityDriverClose (mgr=<optimized out>) at security/security_selinux.c:811
#7  0x00007f68e9eb1263 in virSecurityManagerDispose (obj=0x7f68c8197460) at security/security_manager.c:236
#8  0x00007f68e9d1dbeb in virObjectUnref (anyobj=anyobj@entry=0x7f68c8197460) at util/virobject.c:262
#9  0x00007f68e9eb13df in virSecurityManagerNewDriver (drv=0x7f68ea1aba80 <virSecurityDriverSELinux>, 
    virtDriver=virtDriver@entry=0x7f68d1092871 "LXC", allowDiskFormatProbing=<optimized out>, defaultConfined=<optimized out>, 
    requireConfined=<optimized out>) at security/security_manager.c:99
#10 0x00007f68e9eb15a5 in virSecurityManagerNew (name=<optimized out>, virtDriver=virtDriver@entry=0x7f68d1092871 "LXC", 
    allowDiskFormatProbing=allowDiskFormatProbing@entry=false, defaultConfined=<optimized out>, requireConfined=<optimized out>)
    at security/security_manager.c:186
#11 0x00007f68d108092c in lxcSecurityInit (cfg=0x7f68c8196320) at lxc/lxc_driver.c:1343
#12 lxcStateInitialize (privileged=<optimized out>, callback=<optimized out>, opaque=<optimized out>) at lxc/lxc_driver.c:1417
#13 0x00007f68e9daf0ba in virStateInitialize (privileged=true, callback=callback@entry=0x7f68ea7ed300 <daemonInhibitCallback>, 
    opaque=opaque@entry=0x7f68eada0540) at libvirt.c:834
#14 0x00007f68ea7ed35b in daemonRunStateInit (opaque=opaque@entry=0x7f68eada0540) at libvirtd.c:906
#15 0x00007f68e9d2e58e in virThreadHelper (data=<optimized out>) at util/virthreadpthread.c:161
#16 0x00007f68e6f920f3 in start_thread (arg=0x7f68cfa28700) at pthread_create.c:309
#17 0x00007f68e68b625d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Comment 3 Daniel Walsh 2013-10-29 13:44:16 EDT
libvirt-daemon-1.1.3-2.fc21.x86_64
Comment 4 Daniel Berrange 2013-10-29 13:56:28 EDT
Libvirt obviously shouldn't crash, it should exit with a clear error message. At the same time though,  SELinux policy must *not*  change the config file format in this way. It has historically always used "..." in this file and must continue todo so. We don't support loading data without the "..." quotes.
Comment 5 Daniel Walsh 2013-10-29 14:14:21 EDT
Right, we are shipping with quotes.  I just had hand edited the file and left the quotes out.
Comment 6 Daniel Berrange 2013-12-04 11:30:22 EST
The crash was fixed upstream with this change, so is in 1.2.0 release now in rawhide

commit f1bdcb2be92b5545d5c33485431d7129a8098cd9
Author: Ján Tomko <jtomko@redhat.com>
Date:   Tue Oct 1 13:15:12 2013 +0200

    selinux: Only close the selabel_handle once
    
    On selinux driver initialization failure (missing/incorrectly
    formatted contexts file), selabel_handle was closed twice.
    
    Introduced by 6159710.

Note You need to log in before you can comment on or make changes to this bug.