Bug 499888 - selinux denials when migration tests over ssh is being done:
selinux denials when migration tests over ssh is being done:
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-08 14:36 EDT by Gurhan Ozen
Modified: 2012-10-15 10:06 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 04:00:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log of the rhts job when it's run on permissive mode.. (59.70 KB, text/plain)
2009-05-13 00:42 EDT, Gurhan Ozen
no flags Details
Permissive mode audit.log, july 28th 2009 (4.33 KB, text/plain)
2009-07-28 12:24 EDT, Gurhan Ozen
no flags Details

  None (edit)
Description Gurhan Ozen 2009-05-08 14:36:42 EDT
Description of problem:

  When running migration operation as part of RHTS, it fails with following selinux denial:

  type=SYSCALL msg=audit(1241560853.309:194): arch=c000003e syscall=59 success=no exit=-13 a0=7fff4667b115 a1=1112b450 a2=7fff4667b8b0 a3=7fff4667d8da items=0 ppid=2009 pid=2013 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1241560853.309:194): avc:  denied  { execute } for  pid=2013 comm="virsh" name="ssh" dev=dm-0 ino=2538923 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file

  This doesn't happen when migration is done manually but does happen everytime when the migration testing is running on rhts as part of the init process.

  It'd be nice to have this fix soon, as this will prevent us from running libvirt migration tests over ssh. 

Version-Release number of selected component (if applicable):
# rpm -qa | egrep "selinux|libvirt" | grep -v rh-tests
libselinux-devel-1.33.4-5.1.el5
libselinux-1.33.4-5.1.el5
libselinux-python-1.33.4-5.1.el5
libselinux-utils-1.33.4-5.1.el5
libvirt-0.3.3-14.el5
selinux-policy-targeted-2.4.6-203.el5
libvirt-0.3.3-14.el5
libselinux-1.33.4-5.1.el5
selinux-policy-2.4.6-203.el5
libvirt-python-0.3.3-14.el5
libselinux-devel-1.33.4-5.1.el5


How reproducible:
Everytime on rhts.
Comment 1 Daniel Walsh 2009-05-11 07:58:06 EDT
Can you run the test in permissive mode, to collect all of the AVC messages?
Comment 2 Gurhan Ozen 2009-05-13 00:42:44 EDT
Created attachment 343694 [details]
audit.log of the rhts job when it's run on permissive mode..
Comment 3 Daniel Walsh 2009-05-13 09:50:52 EDT
The log file for this test should not be in /.virtinst/virt.log

If this is just for test output, it should be labeled correctly.

I am adding 

ssh_basic_client_template(xm,xm_t,system_r)

Fixed in selinux-policy-2.4.6-235.el5
Comment 4 Gurhan Ozen 2009-05-13 11:33:49 EDT
virt-install program creates ~/.virtinst/virt.log file . 

Since it's running as init, the home dir is / .

Thanks, will try selinux-policy-2.4.6-235.el5 .
Comment 5 Daniel Walsh 2009-05-13 11:55:43 EDT
In order to do testing with SELinux, you need to setup test labeling correctly.

Maybe the HOMEDIR needs to be set as a temporary directory which the test logs.
Comment 14 Daniel Walsh 2009-05-14 14:42:02 EDT
Try selinux-policy-2.4.6-236.el5
Comment 19 Daniel Walsh 2009-05-26 16:25:26 EDT
This home directory is all mislabeled.

Restorecon -R -v /root

How did the files get there?

What process put them there, since it did not correct the labeling the test is failing.
Comment 20 Gurhan Ozen 2009-05-26 16:38:36 EDT
They are created earlier in the test when passwordless ssh is set up between the hosts..
Comment 21 Daniel Walsh 2009-05-26 17:38:29 EDT
Well the test should run restorecon on them after creating them


restorecon -R -v  /root
Comment 22 Daniel Walsh 2009-05-26 17:39:00 EDT
Also /home if they are created there.
Comment 24 Daniel Walsh 2009-06-04 15:06:17 EDT
Fixed in selinux-policy-2.4.6-241.el5
Comment 27 Gurhan Ozen 2009-07-22 17:44:17 EDT
Got the following error with selinux-policy-2.4.6-252.el5 :

type=SYSCALL msg=audit(1248209517.092:59): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffd62a7c20 a2=6e a3=0 items=0 ppid=31567 pid=31583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:xm_ssh_t:s0 key=(null)
type=AVC msg=audit(1248209517.092:59): avc:  denied  { search } for  pid=31583 comm="ssh" name="ssh-uhivM30485" dev=dm-0 ino=6750328 scontext=system_u:system_r:xm_ssh_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
Comment 28 Daniel Walsh 2009-07-23 12:18:13 EDT
This looks like the xm_ssh command is being started within the initrc_tmp_t directory, which is causing the application to getattr on the current working directory.  So I thikn you test is in correct,  could you cd / before execuing ssh in the test?
Comment 30 Daniel Walsh 2009-07-27 10:53:17 EDT
This is not a problem of the user context,  the problem is the location of where the ssh is being executed I believe.  If you run the test in permissive mode, you might generate additional AVC message.


Is there a directory in /tmp that is being created by your test?
Comment 31 Gurhan Ozen 2009-07-27 11:16:49 EDT
(In reply to comment #30)
> This is not a problem of the user context,  the problem is the location of
> where the ssh is being executed I believe.  If you run the test in permissive
> mode, you might generate additional AVC message.
> 
> 
> Is there a directory in /tmp that is being created by your test?  

No there is not. However rhts itself creates log files/dirs inside the /tmp directory. 

 I will run this in permissive mode to see what else i can get.
Comment 32 Scott Haines 2009-07-28 11:53:02 EDT
Gurhan, any update in permissive mode?
Comment 33 Gurhan Ozen 2009-07-28 12:24:52 EDT
Created attachment 355434 [details]
Permissive mode audit.log, july 28th 2009
Comment 35 Gurhan Ozen 2009-07-29 11:39:53 EDT
Running the test with: 
runcon -t unconfined_t -- virsh migrate ${guest} xen+ssh://root@$remotehost 
instead of 
virsh migrate ${guest} xen+ssh://root@$remotehost

works.
Comment 37 errata-xmlrpc 2009-09-02 04:00:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html

Note You need to log in before you can comment on or make changes to this bug.