Bug 1309361 - [Hyper-V][RHEL7.3]Grant hyperv-daemons access to /dev/vmbus/hv_* devices
Summary: [Hyper-V][RHEL7.3]Grant hyperv-daemons access to /dev/vmbus/hv_* devices
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Jaroslav Aster
URL:
Whiteboard:
Depends On:
Blocks: 1304005
TreeView+ depends on / blocked
 
Reported: 2016-02-17 15:43 UTC by Vitaly Kuznetsov
Modified: 2022-05-12 10:37 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.13.1-68.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1331448 (view as bug list)
Environment:
Last Closed: 2016-11-04 02:42:56 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Vitaly Kuznetsov 2016-02-17 15:43:01 UTC 
Description of problem:
This is RHEL7 clone of the following Fedora BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1241636

I plan to upgrade hyperv-daemons package switching hypervvssd and hypervkvpd daemons to using char devices instead of netlink to communicate with kernel. To support the change I need to grant the following:

/usr/sbin/hypervvssd needs to access /dev/vmbus/hv_vss (open, read, write)

/usr/sbin/hypervkvpd needs to access /dev/vmbus/hv_kvp (open, read, write)

audit2allow generates the following:
#============= hypervkvp_t ==============
allow hypervkvp_t device_t:chr_file { read write open };

#============= hypervvssd_t ==============
allow hypervvssd_t device_t:chr_file { read write open };

This is sufficient but seems to be to permissive, not sure if we can assign different labels to /dev/vmbus/hv_* devices but if it's the case we can limit each daemon (hypervvssd, hypervkvpd, hypervfcopyd) to accessing its own char device.
Comment 2 Milos Malik 2016-02-19 08:08:11 UTC 
How are these devices created? Do I need to load some kernel module?
Comment 3 Vitaly Kuznetsov 2016-02-19 10:07:59 UTC 
These devices are created by hv_utils kernel module but your VM needs to run on a Hyper-V host with Guest integration services enabled. Virt QE (in CC: for this BZ, yacao@, leiwang@,...) can provide a VM for testing, I guess. You'll also need to use an updated kernel to see hv_kvp and hv_vss devices, I plan to put the required patches with https://bugzilla.redhat.com/show_bug.cgi?id=1074407 backport. I'll provide a brew build and hyperv-daemons build for early testing shortly.
Comment 5 Mike McCune 2016-03-28 23:00:31 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 10 xuli 2016-07-19 03:00:23 UTC 
Verify Pass on latest build.
Host: Windows server 2016 TP5
Guest:RHEL7.3 Gen1 (3.10.0-469.el7.x86_64) 
hyperv-daemons-0-0.28.20160216git.el7.x86_64

Verify steps are same with comment 7 described, also do function test of hyperv-daemons, including hypervkvpd, hypervfcopyd,hypervvssd related test cases.
Cover the scenarios mentioned:
1) Be able to get IP information from your host for both static and DHCP cases.
2) Be able to set IP ('ip injection').
3) Be able to set 'Failover IP'.

Note: for different ausearch log after ip-injection, which is tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1349356, so close this bug.
Comment 14 errata-xmlrpc 2016-11-04 02:42:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.