Bug 1241636 - Grant hyperv-daemons access to /dev/vmbus/hv_* devices
Summary: Grant hyperv-daemons access to /dev/vmbus/hv_* devices
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-09 16:33 UTC by Vitaly Kuznetsov
Modified: 2016-04-09 20:17 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-180.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-04-09 20:17:26 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Vitaly Kuznetsov 2015-07-09 16:33:50 UTC
Description of problem:
In kernel 4.2 the following patch series was merged: https://lkml.org/lkml/2015/4/9/124

hyperv-daemons will shortly switch to using these new devices. In particular,

hypervkvpd (system_u:system_r:hypervkvp_t:s0 atm) will need to access /dev/vmbus/hv_kvp (rw)
hypervvssd (system_u:system_r:hypervvssd_t:s0 atm) will need to access /dev/vmbus/hv_vss (rw)
hypervfcopyd (system_u:system_r:unconfined_service_t:s0 atm) will continue using /dev/vmbus/hv_fcopy

Current policy prevents hypervkvpd and hypervvssd from accessing their devices:
type=AVC msg=audit(1436484445.431:449): avc:  denied  { read write } for  pid=5724 comm="hypervkvpd" name="hv_kvp" dev="devtmpfs" ino=18556 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1436484448.569:452): avc:  denied  { read write } for  pid=5731 comm="hypervvssd" name="hv_vss" dev="devtmpfs" ino=18557 scontext=system_u:system_r:hypervvssd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0

I would also suggest we introduce new hypervfcopyd_t for hypervfcopyd.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-128.2.fc22.noarch

Comment 1 Jan Kurik 2015-07-15 13:19:27 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 2 Lukas Vrabec 2015-08-17 14:37:59 UTC
Hi Vytaly! 

Can we label hypervfcopyd as hypervkvp_t? What is purpose of this service? 

Which rpm package owns /dev/vmbus? We need to find proper label for /dev/vmbus/* devices.

Comment 3 Lukas Vrabec 2015-08-17 14:39:31 UTC
Vytaly/Vitaly.

Sorry for mistake.

Comment 4 Vitaly Kuznetsov 2015-08-18 18:49:24 UTC
(In reply to Lukas Vrabec from comment #2)
> Hi Vytaly! 
> 
> Can we label hypervfcopyd as hypervkvp_t?

That would be a misnomer.

hypervkvp_t is being used for hypervkvpd (key-value pair service, mainly used to set/get network configuration of a VM from the host).

>  What is purpose of this service?

hypervfcopyd is a file copy service, it supports copying a file from host to guest through vmbus.

> 
> Which rpm package owns /dev/vmbus?

No one owns it, I think udev creates this folder and device files there when kernel registers corresponding devices.

> We need to find proper label for /dev/vmbus/* devices.

I'd suggest we use different labels for these services as they're independent and shouldn't normally access other devices.

Comment 6 Miroslav Grepl 2015-08-27 16:41:30 UTC
We should add labeling for

/dev/vmbus

and probably a new domain for hypervfcopyd.

Comment 7 Sitsofe Wheeler 2015-11-04 19:56:03 UTC
I've just hit this on the Fedora 23 LiveCD after starting the hypervkvpd service and it breaks things like getting the IP address of the guest. Switching selinux to permissive mode produced the following logs:

type=SERVICE_START msg=audit(1446613082.722:556): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=hypervkvpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1446613082.732:557): avc:  denied  { read write } for  pid=2924 comm="hypervkvpd" name="hv_kvp" dev="devtmpfs" ino=16807 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1446613082.732:558): avc:  denied  { open } for  pid=2924 comm="hypervkvpd" path="/dev/vmbus/hv_kvp" dev="devtmpfs" ino=16807 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1

Comment 8 Jan Kurik 2016-02-24 15:49:57 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 9 Gonçalo Lourenço 2016-03-22 14:11:57 UTC
Grettings, everyone. I've also hit this exact same bug in CentOS 7.2. All packages in this system are up-to-date. The LIS version that this system is using is 4.1, the one released on the past 18th of this month.

I'm glad to see this issue will be fixed in the near future! Is there an ETA for the release of this new package for CentOS?

Comment 10 Fedora Update System 2016-03-30 14:07:00 UTC
selinux-policy-3.13.1-180.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4

Comment 11 Fedora Update System 2016-03-30 22:25:08 UTC
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffb5ed99b4

Comment 12 Fedora Update System 2016-04-09 20:17:10 UTC
selinux-policy-3.13.1-180.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.