RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1161379 - [Hyper-V][REHL 7.1] IP injection fail due to SELinux denied with gen2 guest
Summary: [Hyper-V][REHL 7.1] IP injection fail due to SELinux denied with gen2 guest
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1161500
TreeView+ depends on / blocked
 
Reported: 2014-11-07 03:52 UTC by lijing
Modified: 2015-03-05 10:46 UTC (History)
16 users (show)

Fixed In Version: selinux-policy-3.13.1-21.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1161500 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:46:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
selinux denied log with hypervkvpd (374.05 KB, text/x-vhdl)
2014-11-07 08:08 UTC, lijing 		no flags Details
The log is from permissive (246.12 KB, text/plain)
2015-01-16 09:20 UTC, lijing 		no flags Details
the log of selinux-policy-3.13.1-16.el7.noarch for hypervkvpd (59.15 KB, text/x-vhdl)
2015-01-22 03:38 UTC, lijing 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0458 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Description lijing 2014-11-07 03:52:44 UTC 
Description of problem:
Failed to execute IP injection with rhel7.1 guest. however modified selinux as permissive, the IP injection run successfully

Version-Release number of selected component (if applicable):
Host: Hyper-V 2012 R2
kernel version:
3.10.0-195.el7.x86_64
selinux-policy version:
selinux-policy-3.13.1-7.el7.noarch
selinux-policy-targeted-3.13.1-7.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1.Login RHEL7.1 and check the status of hypervkvpd
2.Run IP injection script on host side
3.check the IP information in guest.

Actual results:
[root@rhel7 ~]# systemctl status hypervkvpd.service
Nov 07 10:13:16 rhel7 hypervkvpd[755]: cp: cannot create regular file ‘/etc/sysconfig/network-scripts/ifcfg-eth0’: Permission denied

selinix log as below:
type=AVC msg=audit(1415327980.035:747): avc:  denied  { search } for  pid=8271 comm="hv_get_dhcp_inf" name="sss" dev="dm-0" ino=17713299 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1415327980.035:747): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffd5d28170 a2=6e a3=7fffd5d27e90 items=0 ppid=755 pid=8271 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hv_get_dhcp_inf" exe="/usr/bin/bash" subj=system_u:system_r:hypervkvp_t:s0 key=(null)


Expected results:
IP injection can run successful when selinux is enforcing.

Additional info:
There is no issue with rhel7.0 guest.
Comment 3 Milos Malik 2014-11-07 07:52:07 UTC 
Could you gather all SELinux denials from that machine and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

The AVC mentioned in comment#0 comes from enforcing mode, because of "success=no". I would like to see if there are other problems. Thnak you.
Comment 4 lijing 2014-11-07 08:08:14 UTC 
Created attachment 954813 [details]
selinux denied log with hypervkvpd
Comment 5 lijing 2014-11-07 08:10:27 UTC 
(In reply to Milos Malik from comment #3)
> Could you gather all SELinux denials from that machine and attach them here?
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> 
> The AVC mentioned in comment#0 comes from enforcing mode, because of
> "success=no". I would like to see if there are other problems. Thnak you.

Hi Milos, 

Please check the log in the attachment.

Thanks
Comment 6 Miroslav Grepl 2014-11-07 09:09:52 UTC 
type=AVC msg=audit(11/07/2014 10:08:34.917:265) : avc:  denied  { execute } for  pid=4297 comm=dhclient-script name=setfiles dev="dm-0" ino=34849754 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file

Is there a dhclient-script running setfiles? This is definitely bug in hypervkvp.
Comment 7 Miroslav Grepl 2014-11-07 09:45:56 UTC 
commit da25a6ba00dff7cc196511efdf85b26b348856bb
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 7 10:42:55 2014 +0100

    Add fixes for hypervkvp daemon
     * allow to execute arping
     * allow to execute ifup-eth
     * allow to execute pidof
     * allow to exec chrony-helper
Comment 10 Miroslav Grepl 2015-01-06 10:50:48 UTC 
commit 077d3cc087d63bd519b0c7ba1795d90a5a4bfcc7
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jan 6 11:38:48 2015 +0100

    Allow hypervkvp to execute arping in own domain and make it as nsswitch domain.
Comment 17 Miroslav Grepl 2015-01-16 07:05:58 UTC 
We need to get AVC msgs from permissive mode?

Why does it write to /etc?
Comment 18 lijing 2015-01-16 07:19:57 UTC 
(In reply to Miroslav Grepl from comment #17)
> We need to get AVC msgs from permissive mode?
> 
> Why does it write to /etc?

Hi Miroslave, 

Do you need to get the AVC msgs as permissive mode? the AVC msg is collected as Enforcing in the attachment . 

the IP injection can run successful with permissive, anyhow,  the hypervkvpd does the following things when I ran the powershell script on Hyper-V host:

1) Creates new ifcfg-{name} file
2) Runs hv_set_ifconfig.sh, which does the following
3) Copies ifcfg-{name} to /etc/sysconfig/network-scripts
4) ifdown {name}
5) ifup {name}
Comment 19 Miroslav Grepl 2015-01-16 07:39:33 UTC 
(In reply to lijing from comment #18)
> (In reply to Miroslav Grepl from comment #17)
> > We need to get AVC msgs from permissive mode?
> > 
> > Why does it write to /etc?
> 
> Hi Miroslave, 
> 
> Do you need to get the AVC msgs as permissive mode? 

Yes,
we need to get AVCs from permissive mode.

>the AVC msg is collected
> as Enforcing in the attachment . 
> 
> the IP injection can run successful with permissive, anyhow,  the hypervkvpd
> does the following things when I ran the powershell script on Hyper-V host:
> 
> 1) Creates new ifcfg-{name} file
> 2) Runs hv_set_ifconfig.sh, which does the following
> 3) Copies ifcfg-{name} to /etc/sysconfig/network-scripts
> 4) ifdown {name}
> 5) ifup {name}
Comment 20 lijing 2015-01-16 09:20:47 UTC 
Created attachment 980794 [details]
The log is from permissive
Comment 21 Miroslav Grepl 2015-01-20 20:19:29 UTC 
commit d9de065fde48d5884b609f3d421f4e975f378c22
Author: Miroslav Grepl <mgrepl>
Date:   Tue Jan 20 21:16:12 2015 +0100

    Add additional fixes for hyperkvp
     * creates new ifcfg-{name} file
     * Runs hv_set_ifconfig.sh, which does the following
     * Copies ifcfg-{name} to /etc/sysconfig/network-scripts


But it needs to be re-tested in the real scenario.
Comment 23 lijing 2015-01-22 03:31:53 UTC 
Hi Miroslav, 

I had a try with selinux-policy-3.13.1-16.el7, the ifcfg-{name} still can't be copied into /etc/sysconfig/network-scripts with hv_set_ifconfig.sh as Enforcing. 

the log is in the attenchment.
Comment 24 lijing 2015-01-22 03:38:16 UTC 
Created attachment 982583 [details]
the log of selinux-policy-3.13.1-16.el7.noarch for hypervkvpd
Comment 25 lijing 2015-01-22 06:08:47 UTC 
(In reply to lijing from comment #23)
> Hi Miroslav, 
> 
> I had a try with selinux-policy-3.13.1-16.el7, the ifcfg-{name} still can't
> be copied into /etc/sysconfig/network-scripts with hv_set_ifconfig.sh as
> Enforcing. 
> 
> the log is in the attenchment.

I checked the log of selinux packages in brew, it fixed in selinux-policy-3.13.1-17.el7 but not in selinux-policy-3.13.1-16.el7, it works well now.
Comment 26 Milos Malik 2015-01-22 09:00:49 UTC 
Thanks a lot for the testing.
Comment 28 lijing 2015-01-26 03:15:58 UTC 
Hi Miroslav, 

For this bug, the IP Injection has worked very well but there is still some other problem in selinux, when I checked the status of hypervkvpd, the log below is displayed. 

[root@classroom ~]# systemctl status hypervkvpd
hypervkvpd.service - Hyper-V KVP daemon
   Loaded: loaded (/usr/lib/systemd/system/hypervkvpd.service; enabled)
   Active: active (running) since Sun 2015-01-25 21:50:24 EST; 8min ago
 Main PID: 749 (hypervkvpd)
   CGroup: /system.slice/hypervkvpd.service
           └─749 /usr/sbin/hypervkvpd

Jan 25 21:50:24 classroom.example.com systemd[1]: Started Hyper-V KVP daemon.
Jan 25 21:50:24 classroom.example.com KVP[749]: KVP starting; pid is:749
Jan 25 21:50:24 classroom.example.com KVP[749]: KVP LIC Version: 3.1
Jan 25 21:57:10 classroom.example.com python[4327]: detected unhandled Python exception in '/usr/bin/firewall-cmd'
Jan 25 21:57:14 classroom.example.com python[4399]: detected unhandled Python exception in '/usr/bin/firewall-cmd'
Jan 25 21:57:17 classroom.example.com python[4472]: detected unhandled Python exception in '/usr/bin/firewall-cmd'


time->Wed Jan 21 06:22:05 2015
type=SYSCALL msg=audit(1421839325.703:424): arch=c000003e syscall=2 success=no exit=-13 a0=7f99f91b1889 a1=80000 a2=1b6 a3=1 items=0 ppid=3591 pid=3605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="firewall-cmd" exe="/usr/bin/python2.7" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1421839325.703:424): avc:  denied  { read } for  pid=3605 comm="firewall-cmd" name="meminfo" dev="proc" ino=4026532027 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file


You can check the detail log of selinux-policy-3.13.1-16.el7.noarch for hypervkvpd  in the attachment. 

so I think this bug can't be verified yet, anyhow, the Add additional fixes for hyperkvp is fixed selinux-policy-3.13.1-17.el7 but not in selinux-policy-3.13.1-16.el7. if you think the error log above is another issue we can open anther bug to trace.
Comment 30 Miroslav Grepl 2015-01-28 08:02:26 UTC 
commit 6fbe6729a6507f64ec9570c678ef926fd1f70a5d
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jan 28 08:40:05 2015 +0100

    Allow gluster rpm scripletto create glusterd socket with correct labeling. This is a workaround until we get fix in glusterd.
Comment 34 errata-xmlrpc 2015-03-05 10:46:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html
Note You need to log in before you can comment on or make changes to this bug.