Bug 1179564
| Summary: | When selinux is 'Enforcing', guest with a readonly attribute sg disk can not be started. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | lcheng |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.1 | CC: | dyuan, honzhang, jferlan, lcheng, lhuang, lmiksik, lvrabec, mgrepl, mmalik, mzhan, plautrba, pvrabec, rbalakri, ssekidde, xuzhang |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-17.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:48:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1082521 | ||
| Bug Blocks: | |||
For reference, the <hostdev> portion of this was discovered during verification of the following bz: https://bugzilla.redhat.com/show_bug.cgi?id=1082521 As "work-around" it is possible to provide both the <readonly/> and <shareable/> attributes. Something I was hoping would be clearer when I asked for this bug to be filed is if the <disk...> case was also failing using the same libvirt release as used to test the other bug in the "failure" case. That is - prior to libvirt-1.2.8-11.el7.x86_64 when the <shareable/> didn't work for <hostdev>, did setting <readonly/> on the <disk...> work? Nothing changed in the <disk...> code path and the <hostdev...> code path mimics the <disk...> code path, so if prior to this change the <disk...> wasn't working correctly then it's been broken for a while (or in IOW - bug for bug compatible). Furthermore, just because <readonly/> was working for <hostdev...> prior to libvirt-1.2.8-11.el7.x86_64 doesn't necessarily mean it was working correctly since it would have used the same label (eg, secdev->imagelabel rather than data->content_context) as the non-readonly <hostdev...> which may have been wrong. I'm not "fluent" in speaking security labels and their proper usage. If you can test something before libvirt-1.2.8-11.el7.x86_64 and even RHEL7.0 in order to determine if scenario 2 still fails and let me know what results you have - that would be useful. The answer will help to determine whether this is something we must fix for RHEL 7.1 or whether it can wait for 7.2. I did try the 7.0 test, but didn't take the time to convince the beaker system I got to create an iSCSI device for me to use. My instructions work for Fedora, but RHEL uses targetcli, which I'm not that familiar with. I think the root cause is this:
# sesearch --allow -s svirt_t -t virt_content_t
Found 7 semantic av rules:
allow virt_domain file_type : dir { getattr search open } ;
allow virt_domain virt_content_t : file { ioctl read getattr lock open } ;
allow virt_domain virt_content_t : dir { ioctl read getattr lock search open } ;
allow virt_domain virt_content_t : lnk_file { read getattr } ;
allow virt_domain virt_content_t : blk_file { ioctl read getattr lock open } ;
allow virt_domain user_home_type : dir { getattr search open } ;
allow virt_domain user_home_type : lnk_file { read getattr } ;
seliunx not allow chr_file read for virt_domain when chr_file label is virt_content_t.
And the AVC report is like this:
type=SYSCALL msg=audit(1420685468.653:169625): arch=c000003e syscall=2 success=no exit=-13 a0=7f5c675b0690 a1=80800 a2=0 a3=0 items=0 ppid=1 pid=3496 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0-s0:c286,c758 key=(null)
type=AVC msg=audit(1420685468.653:169626): avc: denied { read } for pid=3496 comm="qemu-kvm" name="sg13" dev="devtmpfs" ino=128489628 scontext=system_u:system_r:svirt_t:s0-s0:c286,c758 tcontext=system_u:object_r:virt_content_t:s0 tclass=chr_file
So we will failed to start the guest because selinux forbid us.
if add this line in virt.te and rebuild the selinux and install, guest will start success.
--- a/virt.te
+++ b/virt.te
@@ -698,6 +698,7 @@ allow virt_domain self:netlink_kobject_u
list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+read_chr_files_pattern(virt_domain,virt_content_t,virt_content_t)
dontaudit virt_domain virt_content_t:file write_file_perms;
dontaudit virt_domain virt_content_t:dir write;
So I think maybe need move this bug to selinux, because libvirt do the right things here(set the virt_content_t to chr_file).
https://bugzilla.redhat.com/show_bug.cgi?id=1082521 c#16 says it is regression as "When I executed Scenario 2 with libvirt-1.2.8-10.el7.x86_64, the guest can be started successfully. But when I used libvirt-1.2.8-11.el7.x86_64 to test, the guest started to fail" Add Regression keyword firstly. With regard to comment 3 and the needinfo placed on me... If you are asking if I agree this should be moved, then the answer is yes as that seems reasonable to me and my very limited experience with selinux labels. But someone with more knowledge of selinux should be the arbiter of whether the fix is right. Although I also note that min zhan moved this to 7.2; however, later on the regression keyword was added which seems to have added the blocker flag. Again, I'll reiterate whether this is a libvirt regression is a matter of opinion. Also, IIRC the scsi_host hostdev was *added* for RHEL7.1 (eg, not in RHEL7.0). So it cannot be a regression from RHEL7.0. With respect to whether having <readonly/> fail for 7.1 is a regression for <disk...>'s still requires someone (see the needinfo from comment 2) to determine whether setting <readonly/> for a <disk...> in a RHEL7.0 environment works or not. ug... seems my response cleared both needinfo flags - so I'm placing it back on submittor for resolution of comment 2. (In reply to John Ferlan from comment #6) > With regard to comment 3 and the needinfo placed on me... If you are asking > if I agree this should be moved, then the answer is yes as that seems > reasonable to me and my very limited experience with selinux labels. But > someone with more knowledge of selinux should be the arbiter of whether the > fix is right. > Good. # ls -Z /dev/sdf brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdf # ls -Z /dev/sg7 crw-rw----. root disk system_u:object_r:scsi_generic_device_t:s0 /dev/sg7 /dev/sd* will work well because it is a blk_file and /dev/sg* will forbid use because it is a chr_file. > Although I also note that min zhan moved this to 7.2; however, later on the > regression keyword was added which seems to have added the blocker flag. > > Again, I'll reiterate whether this is a libvirt regression is a matter of > opinion. Also, IIRC the scsi_host hostdev was *added* for RHEL7.1 (eg, not > in RHEL7.0). So it cannot be a regression from RHEL7.0. With respect to > whether having <readonly/> fail for 7.1 is a regression for <disk...>'s > still requires someone (see the needinfo from comment 2) to determine > whether setting <readonly/> for a <disk...> in a RHEL7.0 environment works > or not. Maybe i can offer some information, because when i debug this issue, i had test these. <readonly/> work well with <disk> for 7.0.z and 7.1 : Steps: 1.# lsscsi -sg [0:0:0:0] disk ATA WDC WD10EZEX-60Z 80.0 /dev/sda /dev/sg0 1.00TB [2:0:0:0] cd/dvd hp DVD-RAM GHA3N RH06 /dev/sr0 /dev/sg1 - [11:0:0:0] disk LIO-ORG shareddata 4.0 /dev/sdb /dev/sg2 104MB [11:0:0:1] disk LIO-ORG file1 4.0 /dev/sdc /dev/sg3 209MB [11:0:0:2] disk LIO-ORG file2 4.0 /dev/sde /dev/sg5 209MB [12:0:0:0] disk LIO-ORG shareddata 4.0 /dev/sdd /dev/sg4 104MB [12:0:0:1] disk LIO-ORG file1 4.0 /dev/sdg /dev/sg7 209MB 2.# rpm -q libvirt libvirt-1.2.8-12.el7.x86_64 3. # virsh dumpxml test3 <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/sdg'/> <target dev='sdb' bus='scsi'/> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> 4.# virsh start test3 Domain test3 started # ls -Z /dev/sdg brw-rw----. qemu qemu system_u:object_r:virt_content_t:s0 /dev/sdg 4.# sesearch --allow -s svirt_t -t virt_content_t Found 7 semantic av rules: allow virt_domain file_type : dir { getattr search open } ; allow virt_domain virt_content_t : file { ioctl read getattr lock open } ; allow virt_domain virt_content_t : dir { ioctl read getattr lock search open } ; allow virt_domain virt_content_t : lnk_file { read getattr } ; allow virt_domain virt_content_t : blk_file { ioctl read getattr lock open } ; allow virt_domain user_home_type : dir { getattr search open } ; allow virt_domain user_home_type : lnk_file { read getattr } ; 5. also test with libvirt-1.1.1-29.el7_0.4.x86_64. Interesting a bit different than scenario2 from the description section...
Description has:
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/sg11'/>
<target dev='sdb' bus='scsi'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
and fails
Comment 8 has:
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/sdg'/>
<target dev='sdb' bus='scsi'/>
<readonly/>
<address type='drive' controller='0' bus='0' target='0' unit='1'/>
</disk>
and succeeds.
Based on your 'block' vs. 'char' I understand why and perhaps the Description should have used '/dev/sdf' instead of '/dev/sg11' in order to make things work.
Still points at selinux needing the 'chr_file' and thus not a libvirt issue.
(In reply to John Ferlan from comment #9) > Interesting a bit different than scenario2 from the description section... > > Description has: > > <disk type='block' device='disk'> > <driver name='qemu' type='raw'/> > <source dev='/dev/sg11'/> > <target dev='sdb' bus='scsi'/> > <readonly/> > <address type='drive' controller='0' bus='0' target='0' unit='1'/> > </disk> > > and fails > > Comment 8 has: > > <disk type='block' device='disk'> > <driver name='qemu' type='raw'/> > <source dev='/dev/sdg'/> > <target dev='sdb' bus='scsi'/> > <readonly/> > <address type='drive' controller='0' bus='0' target='0' unit='1'/> > </disk> > > and succeeds. > > Based on your 'block' vs. 'char' I understand why and perhaps the > Description should have used '/dev/sdf' instead of '/dev/sg11' in order to > make things work. > > Still points at selinux needing the 'chr_file' and thus not a libvirt issue. Yes, i guess this is root cause. BTW we have supported this feature <hostdev...> in 7.0, and please see this bug (Thanks dyuan pointing out this, i don't know much about storage) https://bugzilla.redhat.com/show_bug.cgi?id=957292#c8 (In reply to John Ferlan from comment #2) > For reference, the <hostdev> portion of this was discovered during > verification of the following bz: > > https://bugzilla.redhat.com/show_bug.cgi?id=1082521 > > As "work-around" it is possible to provide both the <readonly/> and > <shareable/> attributes. > > Something I was hoping would be clearer when I asked for this bug to be > filed is if the <disk...> case was also failing using the same libvirt > release as used to test the other bug in the "failure" case. That is - > prior to libvirt-1.2.8-11.el7.x86_64 when the <shareable/> didn't work for > <hostdev>, did setting <readonly/> on the <disk...> work? > > Nothing changed in the <disk...> code path and the <hostdev...> code path > mimics the <disk...> code path, so if prior to this change the <disk...> > wasn't working correctly then it's been broken for a while (or in IOW - bug > for bug compatible). > > Furthermore, just because <readonly/> was working for <hostdev...> prior to > libvirt-1.2.8-11.el7.x86_64 doesn't necessarily mean it was working > correctly since it would have used the same label (eg, secdev->imagelabel > rather than data->content_context) as the non-readonly <hostdev...> which > may have been wrong. I'm not "fluent" in speaking security labels and their > proper usage. > > If you can test something before libvirt-1.2.8-11.el7.x86_64 and even > RHEL7.0 in order to determine if scenario 2 still fails and let me know what > results you have - that would be useful. > > The answer will help to determine whether this is something we must fix for > RHEL 7.1 or whether it can wait for 7.2. > Sorry, I made a mistake. Just as comment #8, the scenario 2 should use the following xml. <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/sdb'/> <== Not /dev/sg* <target dev='sdb' bus='scsi'/> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> I tested this scenario with libvirt-1.2.8-10.el7.x86_64, libvirt-1.2.8-11.el7.x86_64 and libvirt-1.2.8-12.el7.x86_64. The results were the same as comment #8. <readonly/> work well with <disk> for rhel 7.1. So is the "process" to create a new bug filed against selinux to request the fix suggested in comment 3? And then make this bug depend on that? Or does this bug get "reassigned" to selinux? If it's needed for 7.1, then it should be done soon as that window is closing fast. (In reply to John Ferlan from comment #12) > So is the "process" to create a new bug filed against selinux to request the > fix suggested in comment 3? And then make this bug depend on that? Or does > this bug get "reassigned" to selinux? > > If it's needed for 7.1, then it should be done soon as that window is > closing fast. I guess maybe reassigned to selinux then set depends on bug 1082521 is better. Because libvirt already give enough patch for this issue (in bug 1082521), we just need selinux allow this 'chr_file' with this label 'virt_content_t'. OK - So hopefully I did the right steps and reassigned this to the right component (selinux_policy) per the ongoing discussion. The important part of the history here is comment #3. I removed the 7.2 flag and returned the 7.1 flag since it's verified that this is a regression from 7.0 for a similar configuration and a blocker flag was already added. Could you tell me why you assigned this back to libvirt? I apologize, we need to update SELinux rules. commit fe7a92cba311ef0c9c8fddafb1d98089bb764224
Author: Miroslav Grepl <mgrepl>
Date: Tue Jan 20 19:14:46 2015 +0100
Update virt_read_content() interface to allow read also char devices.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |
Description of problem: When selinux is 'Enforcing', guest with a readonly attribute sg disk can not be started. Version-Release number of selected component (if applicable): libvirt-1.2.8-11.el7.x86_64 qemu-kvm-rhev-2.1.2-17.el7.x86_64 selinux-policy-3.13.1-14.el7.noarch How reproducible: 100% Steps to Reproduce: Scenario 1: For <hostdev...>, guest with a readonly attribute sg disk started to fail. [root@intel-q9550-4-1 ~]# getenforce Enforcing [root@intel-q9550-4-1 ~]# lsmod | grep sg sg 40721 0 [root@intel-q9550-4-1 ~]# lsscsi -g [0:0:0:0] disk ATA Hitachi HDP72503 GM3O /dev/sda /dev/sg0 [7:0:0:0] storage IET Controller 0001 - /dev/sg1 [7:0:0:1] tape IET VIRTUAL-TAPE 0001 /dev/st0 /dev/sg2 [10:0:0:0] disk EQLOGIC 100E-00 5.0 /dev/sdb /dev/sg3 [13:0:0:0] disk EQLOGIC 100E-00 5.0 /dev/sdc /dev/sg4 [14:0:0:0] disk EQLOGIC 100E-00 5.0 /dev/sdd /dev/sg5 [26:0:0:0] storage IET Controller 0001 - /dev/sg6 [26:0:0:1] disk IET VIRTUAL-DISK 0001 /dev/sdf /dev/sg11 [27:0:0:0] storage IET Controller 0001 - /dev/sg7 [27:0:0:1] disk IET VIRTUAL-DISK 0001 /dev/sde /dev/sg10 [root@intel-q9550-4-1 ~]# virsh dumpxml a | grep hostdev -A10 <hostdev mode='subsystem' type='scsi' managed='no'> <source> <adapter name='scsi_host26'/> <address bus='0' target='0' unit='1'/> </source> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </hostdev> ... [root@intel-q9550-4-1 ~]# virsh start a error: Failed to start domain a error: internal error: process exited while connecting to monitor: 2015-01-07T02:09:03.977990Z qemu-kvm: -drive file=/dev/sg11,if=none,id=drive-hostdev0,readonly=on: could not open disk image /dev/sg11: Could not open '/dev/sg11': Permission denied [root@intel-q9550-4-1 ~]# ll -Z /dev/sg11 crw-rw----. root root system_u:object_r:virt_content_t:s0 /dev/sg11 Scenario 2: For <disk...>, guest with a readonly attribute sg disk started to fail too. [root@intel-q9550-4-1 ~]# getenforce Enforcing [root@intel-q9550-4-1 ~]# lsmod | grep sg sg 40721 0 [root@intel-q9550-4-1 ~]# lsscsi -g [0:0:0:0] disk ATA Hitachi HDP72503 GM3O /dev/sda /dev/sg0 [7:0:0:0] storage IET Controller 0001 - /dev/sg1 [7:0:0:1] tape IET VIRTUAL-TAPE 0001 /dev/st0 /dev/sg2 [10:0:0:0] disk EQLOGIC 100E-00 5.0 /dev/sdb /dev/sg3 [13:0:0:0] disk EQLOGIC 100E-00 5.0 /dev/sdc /dev/sg4 [14:0:0:0] disk EQLOGIC 100E-00 5.0 /dev/sdd /dev/sg5 [26:0:0:0] storage IET Controller 0001 - /dev/sg6 [26:0:0:1] disk IET VIRTUAL-DISK 0001 /dev/sdf /dev/sg11 [27:0:0:0] storage IET Controller 0001 - /dev/sg7 [27:0:0:1] disk IET VIRTUAL-DISK 0001 /dev/sde /dev/sg10 [root@intel-q9550-4-1 ~]# virsh dumpxml a | grep disk -A10 <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/sg11'/> <target dev='sdb' bus='scsi'/> <readonly/> <address type='drive' controller='0' bus='0' target='0' unit='1'/> </disk> ... [root@intel-q9550-4-1 ~]# virsh start a error: Failed to start domain a error: internal error: process exited while connecting to monitor: 2015-01-07T05:50:10.740345Z qemu-kvm: -drive file=/dev/sg11,if=none,id=drive-scsi0-0-0-1,readonly=on,format=raw: could not open disk image /dev/sg11: Could not open '/dev/sg11': Permission denied [root@intel-q9550-4-1 ~]# ll -Z /dev/sg11 crw-rw----. qemu qemu system_u:object_r:virt_content_t:s0 /dev/sg11 Actual results: As steps. Expected results: The guest can be started successfully. Additional info: