Bug 1268638 - SELinux preventing qemu create access sock_file
SELinux preventing qemu create access sock_file
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-03 23:09 EDT by poma
Modified: 2016-05-10 13:57 EDT (History)
9 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-128.22.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 13:57:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description poma 2015-10-03 23:09:15 EDT
virt-manager:

1. Add New Virtual Serial Device Type: Unix socket Path: /tmp/CharUNIX
   UNIX domain socket server,
   the character device acts as a UNIX domain socket server, accepting connections from local clients. 

domain.xml
<serial type='unix'>
  <source mode='bind' path='/tmp/CharUNIX'/>
  <target port='0'/>
</serial>
<console type='unix'>
  <source mode='bind' path='/tmp/CharUNIX'/>
  <target type='serial' port='0'/>
</console>

2. Run domain

- debug:
libvirtError: internal error: process exited while connecting to monitor: -- qemu-system-x86_64: -chardev socket,id=charserial0,path=/tmp/CharUNIX,server,nowait: Failed to bind socket to /tmp/CharUNIX: Permission denied


SEalert:
SELinux is preventing /usr/bin/qemu-system-x86_64 from create access on the sock_file CharUNIX.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86_64 should be allowed create access on the CharUNIX sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c--,c--
Target Context                system_u:object_r:tmp_t:s0
Target Objects                CharUNIX [ sock_file ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          --
Source RPM Packages           qemu-system-x86-2.3.1-3.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.13.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     --
Platform                      Linux -- 4.1.7-200.fc22.x86_64 #1 SMP Mon
                              Sep 14 20:19:24 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    --
Last Seen                     --
Local ID                      --

Raw Audit Messages
type=AVC msg=audit(--.--:--): avc:  denied  { create } for  pid=-- comm="qemu-system-x86" name="CharUNIX" scontext=system_u:system_r:svirt_t:s0:c--,c-- tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(--.--:--): arch=x86_64 syscall=bind success=no exit=EACCES a0=-- a1=-- a2=-- a3=-- items=0 ppid=1 pid=-- auid=-- uid=-- gid=-- euid=-- suid=-- fsuid=-- egid=-- sgid=-- fsgid=-- tty=(none) ses=-- comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c--,c-- key=(null)

Hash: qemu-system-x86,svirt_t,tmp_t,sock_file,create
Comment 1 Cole Robinson 2015-10-05 19:31:31 EDT
linux doesn't allow binding a to a unix socket filesystem path if the file already exists. so qemu is forced to unlink the path first, and allow the bind(2) call to create it. this means libvirt can't stick an svirt label on the path.

so my guess is the 'solution' here is to use a properly labelled root directory for the unix socket, but maybe it makes sense to allow /tmp to serve that purpose. that's up to the selinux guys though
Comment 2 poma 2015-11-20 01:56:26 EST
Whether they forgot about us?
Comment 3 poma 2015-12-07 10:55:13 EST
SELinux is preventing /usr/bin/qemu-system-x86_64 from create access on the sock_file CharUNIX.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86_64 should be allowed create access on the CharUNIX sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-system-x86 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c--,c--
Target Context                system_u:object_r:tmp_t:s0
Target Objects                CharUNIX [ sock_file ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           qemu-system-x86-2.3.1-7.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     --
Platform                      Linux -- 4.2.6-200.fc22.x86_64 #1 SMP Tue
                              Nov 10 16:45:19 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-07 16:34:46 CET
Last Seen                     2015-12-07 16:34:46 CET
Local ID                      --

Raw Audit Messages
type=AVC msg=audit(--.--:--): avc:  denied  { create } for  pid=-- comm="qemu-system-x86" name="CharUNIX" scontext=system_u:system_r:svirt_t:s0:c--,c-- tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0


type=SYSCALL msg=audit(--.--:--): arch=x86_64 syscall=bind success=no exit=EACCES a0=-- a1=-- a2=-- a3=-- items=0 ppid=1 pid=-- auid=-- uid=-- gid=-- euid=-- suid=-- fsuid=-- egid=-- sgid=-- fsgid=-- tty=(none) ses=-- comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c--,c-- key=(null)

Hash: qemu-system-x86,svirt_t,tmp_t,sock_file,create
Comment 4 poma 2015-12-07 10:56:51 EST
Do you plan to fix this, if so, when?
Comment 5 Lukas Vrabec 2015-12-07 12:08:09 EST
commit f373c53cfa7d5eabd5cfd0238ed5fa0a6325a588
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Dec 7 18:03:27 2015 +0100

    Allow virt_domain to create socket file in /tmp. BZ(1268638)
Comment 6 poma 2015-12-07 12:38:58 EST
https://github.com/fedora-selinux/selinux-policy/commit/f373c53.patch
Man, page needs refresh to show latest commitas.
Comment 7 Fedora Update System 2015-12-09 08:56:08 EST
selinux-policy-3.13.1-128.22.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683
Comment 8 Fedora Update System 2015-12-09 18:22:46 EST
selinux-policy-3.13.1-128.22.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683
Comment 9 poma 2015-12-10 03:08:51 EST
-chardev socket,id=charserial0,path=/tmp/CharUNIX,server,nowait \
-device isa-serial,chardev=charserial0,id=serial0

$ socat -d -d /tmp/CharUNIX -,raw,echo=0,escape=0x0f
2015/12/10 09:06:21 socat[9281] N opening connection to AF=1 "/tmp/CharUNIX"
2015/12/10 09:06:21 socat[9281] N successfully connected from local address AF=1 "\xEE\xEE\xEE\xEE\xEE\xEE"
2015/12/10 09:06:21 socat[9281] N successfully connected via <anon>
2015/12/10 09:06:21 socat[9281] N reading from and writing to stdio
2015/12/10 09:06:21 socat[9281] N starting data transfer loop with FDs [3,3] and [0,1]

# works OK, thanks
Comment 10 poma 2015-12-10 03:50:15 EST
(In reply to Cole Robinson from comment #1)
> linux doesn't allow binding a to a unix socket filesystem path if the file
> already exists. so qemu is forced to unlink the path first, and allow the
> bind(2) call to create it. this means libvirt can't stick an svirt label on
> the path.
> 
> so my guess is the 'solution' here is to use a properly labelled root
> directory for the unix socket, but maybe it makes sense to allow /tmp to
> serve that purpose. that's up to the selinux guys though


Related was briefly discussed, some time ago in sd,
"SELinux labels on unix sockets"
http://lists.freedesktop.org/archives/systemd-devel/2015-March/029076.html

But yeah, at least here, /tmp would do.
Comment 11 poma 2016-01-07 05:48:31 EST
This is solved, so why is still open?
Comment 12 Fedora Update System 2016-01-18 08:20:35 EST
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 13 Fedora Update System 2016-01-19 22:53:48 EST
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 14 Fedora Update System 2016-02-15 12:47:36 EST
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 15 Fedora Update System 2016-02-17 01:26:35 EST
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 16 Fedora Update System 2016-02-18 07:28:35 EST
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 17 Fedora Update System 2016-02-21 13:29:28 EST
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 18 Fedora Update System 2016-05-10 13:56:13 EDT
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.