Bug 1797899
| Summary: | virt-admin failed to connect virtlogd daemon | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | yafu <yafu> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | jdenemar, lizhu, lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.5 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-76.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 19:42:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Here is a reproducer:
# service virtlogd start
# service virtlogd status
# systemctl enable virtlogd-admin.socket
# systemctl start virtlogd-admin.socket
# systemctl status virtlogd-admin.socket
# virt-admin -c virtlogd:/system
error: Failed to connect to the admin server
error: Cannot recv data: Connection reset by peer
#
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(02/04/2020 03:01:52.498:344) : proctitle=/usr/sbin/virtlogd
type=PATH msg=audit(02/04/2020 03:01:52.498:344) : item=0 name=/proc/6078/stat nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/04/2020 03:01:52.498:344) : cwd=/
type=SYSCALL msg=audit(02/04/2020 03:01:52.498:344) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55be8c3baa80 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5612 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/04/2020 03:01:52.498:344) : avc: denied { search } for pid=5612 comm=virtlogd name=6078 dev="proc" ino=37809 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0
----
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(02/04/2020 03:05:47.764:347) : proctitle=/usr/sbin/virtlogd
type=PATH msg=audit(02/04/2020 03:05:47.764:347) : item=0 name=/proc/6084/stat inode=37875 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/04/2020 03:05:47.764:347) : cwd=/
type=SYSCALL msg=audit(02/04/2020 03:05:47.764:347) : arch=x86_64 syscall=openat success=yes exit=11 a0=0xffffff9c a1=0x55be8c3bb840 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5612 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/04/2020 03:05:47.764:347) : avc: denied { open } for pid=5612 comm=virtlogd path=/proc/6084/stat dev="proc" ino=37875 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(02/04/2020 03:05:47.764:347) : avc: denied { read } for pid=5612 comm=virtlogd name=stat dev="proc" ino=37875 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(02/04/2020 03:05:47.764:347) : avc: denied { search } for pid=5612 comm=virtlogd name=6084 dev="proc" ino=37864 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1
----
There are in fact 2 different admin sockets: # ls /usr/lib/systemd/system/*virt*admin*socket /usr/lib/systemd/system/virtlockd-admin.socket /usr/lib/systemd/system/virtlogd-admin.socket # but both services are labeled the same way: # matchpathcon /usr/sbin/virtlockd /usr/sbin/virtlockd system_u:object_r:virtlogd_exec_t:s0 # matchpathcon /usr/sbin/virtlogd /usr/sbin/virtlogd system_u:object_r:virtlogd_exec_t:s0 # that's way it does not matter if virtlockd-admin.socket or virtlogd-admin.socket is used, because SELinux denials which are triggered have the same scontext= and tcontext= values as in comment#1. # rpm -qa selinux\* libvirt\* | sort libvirt-admin-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64 libvirt-bash-completion-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64 libvirt-daemon-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64 libvirt-libs-4.5.0-38.module+el8.2.0+5435+dd02dc4c.x86_64 selinux-policy-3.14.3-38.el8.noarch selinux-policy-targeted-3.14.3-38.el8.noarch # virt-admin -c virtlockd:/system error: Failed to connect to the admin server error: Cannot recv data: Connection reset by peer # virt-admin -c virtlogd:/system error: Failed to connect to the admin server error: Cannot recv data: Connection reset by peer # According to the AVCs virtlogd reads /proc/$PID/stat to get the startup time
of the process connecting to it via a UNIX socket. This is apparently needed
for polkit checks as explained in the commit which introduced this 7 years ago
(at that time virtlogd did not exist and the code was used only by libvirtd):
commit 979e9c56a7aadf2dcfbddd1abfbad594b78b4468
Author: Daniel P. Berrangé <berrange>
AuthorDate: Thu Apr 25 17:05:00 2013 +0100
Commit: Daniel P. Berrangé <berrange>
CommitDate: Wed May 8 10:47:45 2013 +0100
Include process start time when doing polkit checks
Since PIDs can be reused, polkit prefers to be given
a (PID,start time) pair. If given a PID on its own,
it will attempt to lookup the start time in /proc/pid/stat,
though this is subject to races.
It is safer if the client app resolves the PID start
time itself, because as long as the app has the client
socket open, the client PID won't be reused.
Signed-off-by: Daniel P. Berrange <berrange>
The bug appeared by testing with: libvirt-4.3.0-1.el7.x86_64 qemu-kvm-rhev-2.10.0-21.el7_5.3.x86_64 refer to the duplicate bug: Bug #1582414 I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/818 Commit to backport:
commit 42d1f02477ddb7d44bb1da61366fb55c657ecd1f (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Fri Jul 30 15:03:18 2021 +0200
Allow virtlogd_t read process state of user domains
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |
Description of problem: virt-admin failed to connect virtlogd daemon Version-Release number of selected component (if applicable): selinux-policy-3.14.3-38.el8.noarch libvirt-6.0.0-2.module+el8.2.0+5513+34927b6c.x86_64 How reproducible: 100% Steps to Reproduce: 1.#virt-admin -c virtlogd:///socket error: Failed to connect to the admin server error: Cannot recv data: Connection reset by peer 2.Check the syslog: #cat /var/log/messages Feb 4 02:37:33 * journal[3929]: Failed to open file '/proc/6237/stat': Permission denied Feb 4 02:37:37 * setroubleshoot[6265]: SELinux is preventing virtlogd from search access on the directory 6237. For complete SELinux messages run: sealert -l 5259ac6d-f639-4ad0-b1cd-b88228286e93 Feb 4 02:37:37 * platform-python[6265]: SELinux is preventing virtlogd from search access on the directory 6237.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that virtlogd should be allowed search access on the 6237 directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'virtlogd' --raw | audit2allow -M my-virtlogd#012# semodule -X 300 -i my-virtlogd.pp#012 3. Actual results: virt-admin failed to connect virtlogd daemon. Expected results: virt-admin should connect virtlogd daemon successfully. Additional info: Audit message: type=AVC msg=audit(1580801853.336:2564): avc: denied { search } for pid=3929 comm="virtlogd" name="6237" dev="proc" ino=117626 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=0