Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1160183 - Virt-sysprep firstboot service should have it's SELinux policy
Virt-sysprep firstboot service should have it's SELinux policy
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-04 04:17 EST by Lukas Zapletal
Modified: 2018-04-10 08:23 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-174.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 08:22:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 None None None 2018-04-10 08:23 EDT

  None (edit)
Description Lukas Zapletal 2014-11-04 04:17:12 EST
Hello,

I use virt-builder (http://libguestfs.org/virt-builder.1.html) which allows to execute firstboot scripts which are defined in the following systemd unit:

[root@seven ~]# cat /usr/lib/virt-sysprep/firstboot.service
[Unit]
Description=virt-sysprep firstboot service
After=network.target
Before=prefdm.service

[Service]
Type=oneshot
ExecStart=/usr/lib/virt-sysprep/firstboot.sh start
RemainAfterExit=yes
StandardOutput=journal+console
StandardError=inherit

[Install]
WantedBy=default.target

Which calls sysv-compatible shell script:

[root@seven ~]# cat /usr/lib/virt-sysprep/firstboot.sh
#!/bin/sh -

### BEGIN INIT INFO
# Provides:          virt-sysprep
# Required-Start:    $null
# Should-Start:      $all
# Required-Stop:     $null
# Should-Stop:       $all
# Default-Start:     2 3 5
# Default-Stop:      0 1 6
# Short-Description: Start scripts to run once at next boot
# Description:       Start scripts to run once at next boot
#       These scripts run the first time the guest boots,
#       and then are deleted. Output or errors from the scripts
#       are written to ~root/virt-sysprep-firstboot.log.
### END INIT INFO

d=/usr/lib/virt-sysprep/scripts
logfile=~root/virt-sysprep-firstboot.log

echo "$0" "$@" 2>&1 | tee $logfile
echo "Scripts dir: $d" 2>&1 | tee $logfile

if test "$1" = "start"
then
  for f in $d/* ; do
    if test -x "$f"
    then
      echo '=== Running' $f '===' 2>&1 | tee $logfile
      $f 2>&1 | tee $logfile
      rm -f $f
    fi
  done
fi

And it has the following file contexts:

[root@seven ~]# ll -Z /usr/lib/virt-sysprep/
-rw-r--r--. root root system_u:object_r:file_t:s0      firstboot.service
-rwxr-xr-x. root root system_u:object_r:file_t:s0      firstboot.sh
drwxr-xr-x. root root system_u:object_r:file_t:s0      scripts

Now, when I try to drop a temporary file and load it up with virsh, it does not work:

  cat >/tmp/nested.xml <<'EON'
<network>
  <name>nested</name>
  <uuid>71e5409e-59d0-11e4-8c48-3ca9f45639f8</uuid>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0' />
  <mac address='52:54:C4:9E:13:05'/>
  <ip address='192.168.222.1' netmask='255.255.255.0'>
  </ip>
</network>
EON
  virsh net-define /tmp/nested.xml

The temporary file gets created with initrc_tmp_t domain and virsh then does transition to virsh_t which is not allowed to read that. Unfortunately virsh does not allow reading from STDIN.

I am not really sure if this is SELinux bug, but allowing reading of initrc_tmp_t should not hurt. The question is - shouldn't be all domains allowed to do the same?
Comment 1 Lukas Zapletal 2014-11-04 04:18:26 EST
Added CCs.
Comment 3 Richard W.M. Jones 2014-11-04 04:58:04 EST
I really need Dan or Miroslav to chime in here, but AIUI the label
on the script (system_u:object_r:file_t:s0 / firstboot.sh) doesn't
affect the label of the process when it is running.  So I don't
know what label the process has when it's running, but surely it
must be a bug that the process isn't permitted to create a new
file in /tmp and then invoke virsh to read that file.
Comment 4 Miroslav Grepl 2014-11-04 07:29:13 EST
First,

/usr/lib/virt-sysprep/

files has bad labeling. There should not be "file_t". restorecon is needed here. How are these files placed?

Then we would need to label

/usr/lib/virt-sysprep/firstboot.sh

which is called from the unit file by a proper type to avoid initrc_tmp_t.
Comment 5 Richard W.M. Jones 2014-11-04 07:46:34 EST
(In reply to Miroslav Grepl from comment #4)
> First,
> 
> /usr/lib/virt-sysprep/
> 
> files has bad labeling. There should not be "file_t". restorecon is needed
> here. How are these files placed?

They are placed in there by libguestfs so we could give them a
label or run restorecon, but at the moment we don't.  Since they are
not mentioned in the policy, I assume this would require some kind
of change in selinux-policy.

BTW I'm not completely happy with putting these files under /usr.  I
think /var would be better a choice.

> Then we would need to label
> 
> /usr/lib/virt-sysprep/firstboot.sh
> 
> which is called from the unit file by a proper type to avoid initrc_tmp_t.
Comment 6 Miroslav Grepl 2014-12-02 08:11:25 EST
Lukas,
did we make it working?
Comment 7 Lukas Zapletal 2014-12-16 04:40:04 EST
We did not. We need a guidiance what file label to set I think.
Comment 8 Miroslav Grepl 2015-04-09 07:45:59 EDT
Did we try to test it with virtd_exec_t?

chcon -t virtd_exec_t /usr/lib/virt-sysprep/firstboot.sh
Comment 9 Lukas Zapletal 2015-04-22 03:31:26 EDT
Mirek, the problem is that the file(s) is created by virt-builder, outside of the system environment (on the image). We need some policy for virt-syspres firstboot service to be availble in RHEL I guess.

The good start would be file transition /tmp -> tmp_t I think.
Comment 10 Miroslav Grepl 2015-05-04 09:09:00 EDT
It looks, we will need to add SELinux support to virt-builder.
Comment 11 Richard W.M. Jones 2015-05-04 09:28:27 EDT
(In reply to Miroslav Grepl from comment #10)
> It looks, we will need to add SELinux support to virt-builder.

virt-builder (and virt-sysprep) already have SELinux support.  If
the restorecon database knows about the files added by the firstboot
code then they will be labelled properly.
Comment 12 Miroslav Grepl 2015-05-13 09:31:28 EDT
So we just need to add a default labeling for

/usr/lib/virt-sysprep/firstboot.sh
Comment 16 Milos Malik 2017-08-16 03:37:18 EDT
Is the bug still relevant?
Which component brings the virt-sysprep service?
Comment 17 Pino Toscano 2017-08-16 04:00:53 EDT
(In reply to Milos Malik from comment #16)
> Is the bug still relevant?

Yep, it is.

> Which component brings the virt-sysprep service?

It's part of libguestfs, which is maintained by Rich Jones, and me.
Comment 18 Lukas Zapletal 2017-08-16 05:28:48 EDT
What was said by @pinotree - happy to provide further assistance with this one. Thanks.
Comment 20 Pino Toscano 2017-10-10 10:56:02 EDT
Note when testing: firstboot scripts can do basically anything: install new packages, create new files, manipulate the users in the system (e.g. adding new), configure system(d) services, and so on. (Even reboot the system, yes, we saw that in the wild.)
Thus, please make sure the new SELinux policy allow all the operations as before, otherwise it will create functionality regressions for our users.
Comment 26 Lukas Zapletal 2018-03-05 11:12:45 EST
REPRODUCER:

cat >test.sh <<TEST
yum -y install libvirt
systemctl start libvirtd
systemctl enable libvirtd
cat >/tmp/nested.xml <<'EON'
<network>
  <name>nested</name>
  <uuid>71e5409e-59d0-11e4-8c48-3ca9f45639f8</uuid>
  <forward mode='nat'/>
  <bridge name='virbr1' stp='on' delay='0' />
  <mac address='52:54:C4:9E:13:05'/>
  <ip address='192.168.222.1' netmask='255.255.255.0'>
  </ip>
</network>
EON
virsh net-define /tmp/nested.xml
TEST

sudo virt-builder centos-7.4 --output /var/lib/libvirt/images/test.img --size 6G --root-password password:redhat --hostname test --firstboot test.sh

sudo virt-install --import --name test --vcpus 1 --ram 1200 --disk path=/var/lib/libvirt/images/test.img,format=raw --os-variant rhel7.4

Sign in as root/redhat, wait for firstboot to complete (tail /root/virt*log) and do virsh net-list if "nested" is defined or not. 

I CAN CONFIRM THIS IS FIXED, I was testing with CentOS 7.4 ^^^^
Comment 28 errata-xmlrpc 2018-04-10 08:22:45 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.