Bug 2002143
| Summary: | SELinux label for file system.token is wrong if it is generated by virtproxyd | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Fangge Jin <fjin> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | lizhu, lvrabec, mmalik, pkoncity, ssekidde, xuzhang, yafu |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 9.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.17-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:49:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(09/16/2021 05:27:17.872:2290) : proctitle=/usr/sbin/virtlogd
type=PATH msg=audit(09/16/2021 05:27:17.872:2290) : item=1 name=/run/libvirt/common/system.token inode=2815 dev=00:19 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:virt_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/16/2021 05:27:17.872:2290) : item=0 name=/run/libvirt/common/ inode=2814 dev=00:19 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:virt_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/16/2021 05:27:17.872:2290) : cwd=/
type=SYSCALL msg=audit(09/16/2021 05:27:17.872:2290) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55c83cf5adb0 a2=O_RDWR|O_CREAT|O_APPEND a3=0x180 items=2 ppid=1 pid=10191 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=virtlogd exe=/usr/sbin/virtlogd subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/16/2021 05:27:17.872:2290) : avc: denied { read append } for pid=10191 comm=virtlogd name=system.token dev="tmpfs" ino=2815 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=file permissive=0
----
# ls -dZ /run/libvirt/common/
system_u:object_r:virt_var_run_t:s0 /run/libvirt/common/
# matchpathcon /run/libvirt/common/
/run/libvirt/common system_u:object_r:virt_common_var_run_t:s0
#
# ps -efZ | grep virt system_u:system_r:virtlogd_t:s0-s0:c0.c1023 root 7036 1 0 04:55 ? 00:00:00 /usr/sbin/virtlockd system_u:system_r:virtlogd_t:s0-s0:c0.c1023 root 10191 1 0 05:26 ? 00:00:00 /usr/sbin/virtlogd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 10234 3914 0 05:35 pts/0 00:00:00 grep --color=auto virt # sesearch -s virtd_t -t virt_var_run_t -c dir -T type_transition virtd_t virt_var_run_t:dir dnsmasq_var_run_t network; type_transition virtd_t virt_var_run_t:dir qemu_var_run_t qemu; type_transition virtd_t virt_var_run_t:dir virt_common_var_run_t common; type_transition virtd_t virt_var_run_t:dir virt_lxc_var_run_t lxc; # sesearch -s virtlogd_t -t virt_var_run_t -c dir -T # Not sure which process created the /run/libvirt/common/ directory, but my guess is one of processes labeled virtlogd_t. # virsh -c qemu+tcp://<ip-address>/system start vmguest error: Failed to start domain 'vmguest' error: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied # First part of this step does not work: 3. Set auth_tcp=0 in virtproxyd.conf and start virtproxyd-tcp.socket It leads to the following message in the journal: virtproxyd[10117]: 2021-09-16 09:22:57.840+0000: 10117: error : main:918 : Can't load config file: internal error: /etc/libvirt/virtproxyd.conf: expected a string for 'auth_tcp' parameter: /etc/libvirt/virtproxyd.conf But setting auth_tcp = "none" works as expected. Because the virtproxyd program is not confined: # ls -Z `which virtproxyd` system_u:object_r:bin_t:s0 /usr/sbin/virtproxyd # matchpathcon `which virtproxyd` /usr/sbin/virtproxyd system_u:object_r:bin_t:s0 # the incorrectly labeled /run/libvirt/common directory could have been created by the virtproxyd process, because appropriate filename transition rule is missing: # sesearch -s unconfined_service_t -t virt_var_run_t -c dir -T # In https://bugzilla.redhat.com/show_bug.cgi?id=1854332 was solving confining virtproxyd. After adding this fix to policy should virtproxyd /usr/sbin/virtproxyd label as virtproxy_exec_t. @Fangge Jin, I was unable to reproduce the scenario. Even when I install all packages referred to:
dnf install libvirt-client libvirt-daemon libvirt-daemon-driver-interface libvirt-daemon-driver-network libvirt-daemon-driver-nodedev libvirt-daemon-driver-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-driver-secret libvirt-daemon-driver-storage-core
I get just:
# virsh -c qemu+tcp://10.0.139.141/system
error: failed to connect to the hypervisor
error: unable to connect to server at '10.0.139.141:16509': Connection refused
# systemctl status virtlogd
○ virtlogd.service - Virtual machine log manager
Loaded: loaded (/usr/lib/systemd/system/virtlogd.service; indirect; vendor preset: disabled)
Active: inactive (dead)
TriggeredBy: ○ virtlogd.socket
○ virtlogd-admin.socket
Docs: man:virtlogd(8)
https://libvirt.org
Which steps are missing?
For sure we can start with backporting the existing commit (see #c7):
commit 9a1d09d6d42a5e450e721321e4c2d93fbea60423 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date: Thu Sep 2 15:51:12 2021 +0200
Label /usr/sbin/virtproxyd as virtd_exec_t
@Zdenek Pktela, did you enable tcp socket: Set auth_tcp="none" in /etc/libvirt/virtproxyd.conf and start virtproxyd-tcp.socket(systemctl start virtproxyd-tcp.socket) I followed the instructions, still sometimes get errors I am unable to evaluate. Changing the virtproxyd label seems to help though. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
Description of problem: Selinux lable for file system.token is wrong if it is generated by virtproxyd Version-Release number of selected component: libvirt-client-7.6.0-2.el9.x86_64 selinux-policy-34.1.14-1.el9.noarch How reproducible: 100% Steps to Reproduce: 1. Install libvirt freshly or remove dir /run/libvirt/common if exists 2. Enable modular daemon mode systemctl disable libvirtd.service systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket systemctl enable virtlogd; systemctl enable virtlogd.socket; systemctl start virtlogd.socket for drv in qemu interface network nodedev nwfilter secret storage proxy; do systemctl unmask virt${drv}d.service; systemctl unmask virt${drv}d{,-ro,-admin}.socket; systemctl enable virt${drv}d.service; systemctl enable virt${drv}d{,-ro,-admin}.socket; systemctl restart virt${drv}d{,-ro,-admin}.socket ; done 3. Set auth_tcp=0 in virtproxyd.conf and start virtproxyd-tcp.socket 4. Connect to virtproxyd(virtlogd.service will be activated automatically): virsh -c qemu+tcp://10.73.178.89/system 5. Check system.token label: # ll /run/libvirt/common/ -Z total 4 -rw-------. 1 root root system_u:object_r:virt_var_run_t:s0 32 Sep 7 22:02 system.token 6. (restart virtlogd.service if it is active) Try to define and start guest: # virsh -c qemu+tcp://10.73.178.89/system define rhel8-temp.xml Domain 'template' defined from rhel8-temp.xml # virsh -c qemu+tcp://10.73.178.89/system start template error: Failed to start domain 'template' error: can't connect to virtlogd: Unable to open system token /run/libvirt/common/system.token: Permission denied Actual results: As steps Expected results: The label should be: # ll /run/libvirt/common/ -Z total 4 -rw-------. 1 root root system_u:object_r:virt_common_var_run_t:s0 32 Sep 7 22:16 system.token Additional info: In step4, f connect to qemu driver directly without virtproxyd(virsh -c qemu:///system, virtqemud.service will be activated automatically), the label is correct.