Bug 1415841 - staff_u cannot access virtual machine guest consoles in libvirt
Summary: staff_u cannot access virtual machine guest consoles in libvirt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-23 22:04 UTC by Garrett Holmstrom
Modified: 2017-08-01 15:20 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-145.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1402840
Environment:
Last Closed: 2017-08-01 15:20:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Garrett Holmstrom 2017-01-23 22:04:42 UTC
+++ This bug was initially created as a clone of Bug #1402840 +++

Description of problem:
Attempt to create or use a vm in virt-manager. It will crash.

type=AVC msg=audit(1481201350.528:800): avc:  denied  { read write } for  pid=12729 comm="virt-manager" path="socket:[120195]" dev="sockfs" ino=120195 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201350.614:801): avc:  denied  { getopt } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201350.614:802): avc:  denied  { setopt } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201352.421:805): avc:  denied  { read } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1481201357.405:806): avc:  denied  { write } for  pid=12729 comm="virt-manager" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c41,c348 tclass=unix_stream_socket permissive=1

Comment 1 Garrett Holmstrom 2017-01-23 22:06:20 UTC
Affected package versions:

libvirt-2.0.0-10.el7_3.4.x86_64
selinux-policy-3.13.1-102.el7_3.13.noarch


Attempting to connect to a guest's console using virt-manager while enforcing yields the following audit logs, which are currently dontaudited:

type=AVC msg=audit(1485208807.780:7383): avc:  denied  { read write } for  pid=255264 comm="virt-manager" path="socket:[13675099]" dev="sockfs" ino=13675099 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c558,c866 tclass=unix_stream_socket
type=SYSCALL msg=audit(1485208807.780:7383): arch=c000003e syscall=47 success=yes exit=1 a0=f a1=7ffc1012a4f0 a2=40000000 a3=5 items=0 ppid=1 pid=255264 auid=1000 uid=1000 gid=100 euid=1000 suid=1000 fsuid=1000 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="virt-manager" exe="/usr/bin/python2.7" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 2 Lukas Vrabec 2017-03-03 19:35:40 UTC
Added all needed rules but also staff_use_svirt  should be turned on.

Comment 15 errata-xmlrpc 2017-08-01 15:20:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.