Bug 1656738 - selinux block vsock protocol transfer data from guest to host
Summary: selinux block vsock protocol transfer data from guest to host
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 1673107 1682526
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-06 08:25 UTC by FuXiangChun
Modified: 2019-11-05 22:09 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:09:44 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
ausearch output (15.45 KB, text/x-vhdl)
2018-12-06 08:56 UTC, FuXiangChun
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 None None None 2019-11-05 22:09:53 UTC

Comment 1 FuXiangChun 2018-12-06 08:29:14 UTC
Hi Stefan,

please correct me if component is wrong.

Comment 2 Lukas Vrabec 2018-12-06 08:52:52 UTC
Hi, 

Could you reproduce your scenario and then attach output of:

# ausearch -m AVC -m USER_AVC -ts today

THanks,
Lukas.

Comment 3 FuXiangChun 2018-12-06 08:56:54 UTC
Created attachment 1511997 [details]
ausearch output

Comment 4 Lukas Vrabec 2018-12-06 09:22:47 UTC
Okay, your system is mislabeled. 

Please run:

# restorecon -Rv / 

and repeat the scenario.

Comment 5 FuXiangChun 2018-12-07 05:44:38 UTC
(In reply to Lukas Vrabec from comment #4)
> Okay, your system is mislabeled. 
> 
> Please run:
> 
> # restorecon -Rv / 

 restorecon -Rv / 
Relabeled /boot/loader/entries/cc97fdbdcd3041e7b8d7ee8938049da7-4.18.0-48.el8.x86_64.conf from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
Relabeled /boot/loader/entries/cc97fdbdcd3041e7b8d7ee8938049da7-0-rescue.conf from system_u:object_r:modules_object_t:s0 to system_u:object_r:boot_t:s0
/dev/tty1 not reset as customized by admin to unconfined_u:object_r:user_tty_device_t:s0
Relabeled /home/win2016.qcow2 from unconfined_u:object_r:home_root_t:s0 to unconfined_u:object_r:default_t:s0
Relabeled /run/user/0 from system_u:object_r:tmpfs_t:s0 to system_u:object_r:user_tmp_t:s0
Relabeled /etc/X11/xorg.conf.d/00-keyboard.conf from system_u:object_r:var_lib_t:s0 to system_u:object_r:xserver_etc_t:s0
Relabeled /usr/sbin/dumpe2fs from system_u:object_r:bin_t:s0 to system_u:object_r:fsadm_exec_t:s0
Relabeled /usr/sbin/e2mmpstatus from system_u:object_r:fsadm_exec_t:s0 to system_u:object_r:bin_t:s0

Relabeled /usr/local/lib/python3.6/site-packages/avocado_framework_plugin_result_html-66.0-py3.6.egg from unconfined_u:object_r:user_home_t:s0 to unconfined_u:object_r:lib_t:s0
Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/PKG-INFO from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0
Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/SOURCES.txt from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0
Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/dependency_links.txt from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0
Relabeled /usr/local/lib64/python3.6/site-packages/simplejson-3.16.0-py3.6.egg-info/top_level.txt from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:lib_t:s0


> 
> and repeat the scenario.

# ./nc-vsock -l 1234
Connection from cid 2 port 1055...

still can reproduce this issue.

Comment 6 Lukas Vrabec 2018-12-07 12:39:40 UTC
Thanks,


Could you attach also output of:

# ausearch -m AVC -m USER_AVC -ts today

Thanks,
Lukas.

Comment 7 FuXiangChun 2018-12-10 03:19:13 UTC
Lukas,

This is ausearch output

# ausearch -m AVC -m USER_AVC -ts today
----
time->Mon Dec 10 11:17:28 2018
type=PROCTITLE msg=audit(1544411848.529:82): proctitle=2E2F6E632D76736F636B002D6C00313233
type=SYSCALL msg=audit(1544411848.529:82): arch=c000003e syscall=0 success=no exit=-13 a0=4 a1=7ffe29de8170 a2=1000 a3=fffffffffffff5ea items=0 ppid=6717 pid=6738 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="nc-vsock" exe="/root/nc-vsock" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1544411848.529:82): avc:  denied  { read } for  pid=6738 comm="nc-vsock" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=vsock_socket permissive=0

Comment 8 Lukas Vrabec 2018-12-10 12:39:19 UTC
Thanks,


Could you attach also:

# ps -efZ | grep unlabeled

Thanks,
Lukas.

Comment 9 FuXiangChun 2018-12-11 05:32:58 UTC
(In reply to Lukas Vrabec from comment #8)
> Thanks,
> 
> 
> Could you attach also:
> 
> # ps -efZ | grep unlabeled
> 
> Thanks,
> Lukas.

Inside guest:

# ps -efZ | grep unlabeled
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6766 6726  0 13:30 pts/0 00:00:00 grep --color=auto unlabeled

In host:
# ps -efZ | grep unlabeled
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3599 3309  0 00:31 pts/1 00:00:00 grep --color=auto unlabeled

Comment 10 Lukas Vrabec 2018-12-11 14:03:28 UTC
Hmm, this bug will be more complicated. Can you create some VM and allow me access that machine with root access? 

THanks,
Lukas.

Comment 21 errata-xmlrpc 2019-11-05 22:09:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547


Note You need to log in before you can comment on or make changes to this bug.