Red Hat Bugzilla – Bug 1160183
Virt-sysprep firstboot service should have it's SELinux policy
Last modified: 2018-04-10 08:23:31 EDT
Hello, I use virt-builder (http://libguestfs.org/virt-builder.1.html) which allows to execute firstboot scripts which are defined in the following systemd unit: [root@seven ~]# cat /usr/lib/virt-sysprep/firstboot.service [Unit] Description=virt-sysprep firstboot service After=network.target Before=prefdm.service [Service] Type=oneshot ExecStart=/usr/lib/virt-sysprep/firstboot.sh start RemainAfterExit=yes StandardOutput=journal+console StandardError=inherit [Install] WantedBy=default.target Which calls sysv-compatible shell script: [root@seven ~]# cat /usr/lib/virt-sysprep/firstboot.sh #!/bin/sh - ### BEGIN INIT INFO # Provides: virt-sysprep # Required-Start: $null # Should-Start: $all # Required-Stop: $null # Should-Stop: $all # Default-Start: 2 3 5 # Default-Stop: 0 1 6 # Short-Description: Start scripts to run once at next boot # Description: Start scripts to run once at next boot # These scripts run the first time the guest boots, # and then are deleted. Output or errors from the scripts # are written to ~root/virt-sysprep-firstboot.log. ### END INIT INFO d=/usr/lib/virt-sysprep/scripts logfile=~root/virt-sysprep-firstboot.log echo "$0" "$@" 2>&1 | tee $logfile echo "Scripts dir: $d" 2>&1 | tee $logfile if test "$1" = "start" then for f in $d/* ; do if test -x "$f" then echo '=== Running' $f '===' 2>&1 | tee $logfile $f 2>&1 | tee $logfile rm -f $f fi done fi And it has the following file contexts: [root@seven ~]# ll -Z /usr/lib/virt-sysprep/ -rw-r--r--. root root system_u:object_r:file_t:s0 firstboot.service -rwxr-xr-x. root root system_u:object_r:file_t:s0 firstboot.sh drwxr-xr-x. root root system_u:object_r:file_t:s0 scripts Now, when I try to drop a temporary file and load it up with virsh, it does not work: cat >/tmp/nested.xml <<'EON' <network> <name>nested</name> <uuid>71e5409e-59d0-11e4-8c48-3ca9f45639f8</uuid> <forward mode='nat'/> <bridge name='virbr1' stp='on' delay='0' /> <mac address='52:54:C4:9E:13:05'/> <ip address='192.168.222.1' netmask='255.255.255.0'> </ip> </network> EON virsh net-define /tmp/nested.xml The temporary file gets created with initrc_tmp_t domain and virsh then does transition to virsh_t which is not allowed to read that. Unfortunately virsh does not allow reading from STDIN. I am not really sure if this is SELinux bug, but allowing reading of initrc_tmp_t should not hurt. The question is - shouldn't be all domains allowed to do the same?
Added CCs.
I really need Dan or Miroslav to chime in here, but AIUI the label on the script (system_u:object_r:file_t:s0 / firstboot.sh) doesn't affect the label of the process when it is running. So I don't know what label the process has when it's running, but surely it must be a bug that the process isn't permitted to create a new file in /tmp and then invoke virsh to read that file.
First, /usr/lib/virt-sysprep/ files has bad labeling. There should not be "file_t". restorecon is needed here. How are these files placed? Then we would need to label /usr/lib/virt-sysprep/firstboot.sh which is called from the unit file by a proper type to avoid initrc_tmp_t.
(In reply to Miroslav Grepl from comment #4) > First, > > /usr/lib/virt-sysprep/ > > files has bad labeling. There should not be "file_t". restorecon is needed > here. How are these files placed? They are placed in there by libguestfs so we could give them a label or run restorecon, but at the moment we don't. Since they are not mentioned in the policy, I assume this would require some kind of change in selinux-policy. BTW I'm not completely happy with putting these files under /usr. I think /var would be better a choice. > Then we would need to label > > /usr/lib/virt-sysprep/firstboot.sh > > which is called from the unit file by a proper type to avoid initrc_tmp_t.
Lukas, did we make it working?
We did not. We need a guidiance what file label to set I think.
Did we try to test it with virtd_exec_t? chcon -t virtd_exec_t /usr/lib/virt-sysprep/firstboot.sh
Mirek, the problem is that the file(s) is created by virt-builder, outside of the system environment (on the image). We need some policy for virt-syspres firstboot service to be availble in RHEL I guess. The good start would be file transition /tmp -> tmp_t I think.
It looks, we will need to add SELinux support to virt-builder.
(In reply to Miroslav Grepl from comment #10) > It looks, we will need to add SELinux support to virt-builder. virt-builder (and virt-sysprep) already have SELinux support. If the restorecon database knows about the files added by the firstboot code then they will be labelled properly.
So we just need to add a default labeling for /usr/lib/virt-sysprep/firstboot.sh
Is the bug still relevant? Which component brings the virt-sysprep service?
(In reply to Milos Malik from comment #16) > Is the bug still relevant? Yep, it is. > Which component brings the virt-sysprep service? It's part of libguestfs, which is maintained by Rich Jones, and me.
What was said by @pinotree - happy to provide further assistance with this one. Thanks.
Note when testing: firstboot scripts can do basically anything: install new packages, create new files, manipulate the users in the system (e.g. adding new), configure system(d) services, and so on. (Even reboot the system, yes, we saw that in the wild.) Thus, please make sure the new SELinux policy allow all the operations as before, otherwise it will create functionality regressions for our users.
REPRODUCER: cat >test.sh <<TEST yum -y install libvirt systemctl start libvirtd systemctl enable libvirtd cat >/tmp/nested.xml <<'EON' <network> <name>nested</name> <uuid>71e5409e-59d0-11e4-8c48-3ca9f45639f8</uuid> <forward mode='nat'/> <bridge name='virbr1' stp='on' delay='0' /> <mac address='52:54:C4:9E:13:05'/> <ip address='192.168.222.1' netmask='255.255.255.0'> </ip> </network> EON virsh net-define /tmp/nested.xml TEST sudo virt-builder centos-7.4 --output /var/lib/libvirt/images/test.img --size 6G --root-password password:redhat --hostname test --firstboot test.sh sudo virt-install --import --name test --vcpus 1 --ram 1200 --disk path=/var/lib/libvirt/images/test.img,format=raw --os-variant rhel7.4 Sign in as root/redhat, wait for firstboot to complete (tail /root/virt*log) and do virsh net-list if "nested" is defined or not. I CAN CONFIRM THIS IS FIXED, I was testing with CentOS 7.4 ^^^^
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763