1456059 – selinux denies virtlogd to read virtlogd.conf

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1456059 - selinux denies virtlogd to read virtlogd.conf

Summary: selinux denies virtlogd to read virtlogd.conf

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-26 23:47 UTC by Nicholas Lippis
Modified:	2017-08-30 13:37 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-30 13:37:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Nicholas Lippis 2017-05-26 23:47:36 UTC

Description of problem: KVM vm power on fails because selinux denies virtlogd access to read /etc/libvirt/virtlogd.conf


Version-Release number of selected component (if applicable):
[~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[~]# libvirtd --version
libvirtd (libvirt) 2.0.0

[~]# uname -a
Linux <censored> 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 x86_64 GNU/Linux

[~]# lsb_release
LSB Version:    :core-4.1-amd64:core-4.1-noarch

[~]# rpm -qa selinux-policy
selinux-policy-3.13.1-102.el7.noarch

[~]# rpm -qa selinux-policy-targeted
selinux-policy-targeted-3.13.1-102.el7.noarch


How reproducible: Highly intermittent


Steps to Reproduce:
1. Boot rhel73 machine with libvirt 2.0.0 installed
2. Attempt to power on kvm guest with libvirt python package on rhel73 machine

Actual results: In some cases we see that the power on operation fails 
  File "<censored>/libvirt-python/libvirt.py", line 1035, in create
    if ret == -1: raise libvirtError ('virDomainCreate() failed', dom=self)
libvirtError: Cannot recv data: Connection reset by peer


Expected results: For the guest vm to power on successfully


Additional info:
The rhel73 kvm hypervisor machine is running as a vm

<snip from /var/log/messages>
8978 May 23 07:16:46 rhel73template virtlogd: 2017-05-23 11:16:46.861+0000: 17682: error : main:1033 : Can't load config file: Failed to open file '/etc/libvirt/virtlogd.conf': Permission denied: /etc/libvirt/virtlogd.conf
 8979 May 23 07:16:46 rhel73template systemd: virtlogd.service: main process exited, code=exited, status=1/FAILURE
 8980 May 23 07:16:46 rhel73template systemd: Unit virtlogd.service entered failed state.
 8981 May 23 07:16:46 rhel73template systemd: virtlogd.service failed.
</snip>

<snip from /var/log/messages>
9019 May 23 07:16:46 rhel73template systemd: start request repeated too quickly for virtlogd.service
 9020 May 23 07:16:46 rhel73template systemd: Failed to start Virtual machine log manager.
 9021 May 23 07:16:46 rhel73template systemd: Unit virtlogd.socket entered failed state.
 9022 May 23 07:16:46 rhel73template systemd: virtlogd.service failed.
 9023 May 23 07:16:46 rhel73template journal: Cannot recv data: Connection reset by peer
 9024 May 23 07:16:46 rhel73template journal: Failed to connect socket to '/var/run/libvirt/virtlogd-sock': Connection refused
</snip>

virtlogd.service was unable to start due to a permission issue when opening its configuration file /etc/libvirt/virtlogd.conf

[~]# systemctl list-unit-files | grep virtlog
virtlogd.service                            indirect
virtlogd.socket                             enabled

Selinux denied access to the file /etc/libvirt/virtlogd.conf
[~]# grep 'virtlogd.conf' var/log/audit/audit.log
type=AVC msg=audit(1495538206.859:6604): avc:  denied  { read } for  pid=17682 comm="virtlogd" name="virtlogd.conf" dev="dm-0" ino=101286598 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

[~]# ls -Z /etc/libvirt/virtlogd.conf
-rw-r--r--. root root system_u:object_r:virtlogd_etc_t:s0 /etc/libvirt/virtlogd.conf

[~]$ grep -ir virtlogd | grep "system_u:object_r:virtlogd_etc_t:s0"
commands/dmesg.txt:[  487.645309] SELinux: inode_doinit_with_dentry:  context_to_sid(system_u:object_r:virtlogd_etc_t:s0) returned 12 for dev=dm-0 ino=101286598
var/log/messages:May 23 07:10:07 rhel73template kernel: SELinux: inode_doinit_with_dentry:  context_to_sid(system_u:object_r:virtlogd_etc_t:s0) returned 12 for dev=dm-0 ino=101286598


[~]# grep virtlogd audit.log | audit2allow -w
type=AVC msg=audit(1495538206.859:6604): avc:  denied  { read } for  pid=17682 comm="virtlogd" name="virtlogd.conf" dev="dm-0" ino=101286598 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

In order to workaround this I created a selinux module policy.  Background on this approach is provided in bug https://bugzilla.redhat.com/show_bug.cgi?id=1377272

[~]# grep virtlogd audit.log | audit2allow -M virtlogd-policy
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i virtlogd-policy.pp

[~]# cat virtlogd-policy.te

module virtlogd-policy 1.0;

require {
    type unlabeled_t;
    type virtlogd_t;
    class file read;
}

#============= virtlogd_t ==============

#!!!! WARNING: 'unlabeled_t' is a base type.
#!!!! The file '/etc/libvirt/virtlogd.conf' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /etc/libvirt/virtlogd.conf
allow virtlogd_t unlabeled_t:file read;

Attempted to run the following command but no output given, meaning that there was nothing to restore
[~]# restorecon -R -v /etc/libvirt/virtlogd.conf

[~]# semodule -i virtlogd-policy.pp

Comment 2 Lukas Vrabec 2017-05-29 10:35:31 UTC

Hi, 

Please run: 
# restorecon -Rv / 

To fix labels on your system and then try to reproduce the scenario. 

Thanks,
Lukas.

Comment 3 Lukas Vrabec 2017-08-30 13:37:06 UTC

We don't have enough info about this issue. Closing.

Note You need to log in before you can comment on or make changes to this bug.