735442 – Sanlock socket is incorrectly labelled for SELinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 735442 - Sanlock socket is incorrectly labelled for SELinux

Summary: Sanlock socket is incorrectly labelled for SELinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Libvirt Maintainers
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-02 16:09 UTC by Daniel Berrangé
Modified:	2011-12-06 11:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:	libvirt-0.9.4-8.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 11:28:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1513	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2011-12-06 01:23:30 UTC

Description Daniel Berrangé 2011-09-02 16:09:41 UTC

Description of problem:
When libvirt is running with sanlock, we intentionally leak the UNIX domain socket to QEMU. Unfortunately the current code incorrectly labels the socket resulting in  an SELinux AVC when starting a guest with sanlock in use.

Version-Release number of selected component (if applicable):
0.9.4-1.el6

How reproducible:
Only if starting a guest with sanlock enabled

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Upstream fix:

commit 64bdec384101f7a5e6989ee871b360c110ade571
Author: Daniel P. Berrange <berrange>
Date:   Fri Aug 26 16:06:31 2011 +0100

    Fix sanlock socket security labelling
    
    It is not possible to change the label of a TCP socket once it
    has been opened. When creating a TCP socket care must be taken
    to ensure the socket creation label is set & then cleared.
    Remove the bogus call to virSecurityManagerSetProcessFDLabel
    from the lock driver guest setup code and instead make use of
    virSecurityManagerSetSocketLabel

Comment 3 Alex Jia 2011-09-09 02:50:05 UTC

It has still a little weird, I can't also reproduce this issue on 0.9.4-1.el6, the following is my steps, maybe I'm missing some important stuff, please correct me if wrong:

# grep "lock_manager" /etc/libvirt/qemu.conf
 lock_manager = "sanlock"

# service libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]

# virsh start vr-rhel5u4-x86_64-kvm
error: Failed to start domain vr-rhel5u4-x86_64-kvm
error: internal error unsupported configuration: Read/write, exclusive access, disks were present, but no leases specified

# grep -i avc /var/log/audit/audit.log

Notes: without any "avc:  denied" error.

BTW, whether I need to start sanlock daemon? I try turn on/off it, the rest result is the same to previous, I will research it again.


Alex

Comment 4 Alex Jia 2011-09-09 11:03:59 UTC

I met the following AVC denied error when I try the above steps on libvirt-0.9.4-1.el6.x86_64 and libvirt-lock-sanlock-0.9.4-1.el6.x86_64:

# grep -i avc /var/log/audit/audit.log
type=AVC msg=audit(1315593958.191:44869): avc:  denied  { write } for  pid=21797 comm="qemu-kvm" path="/var/lib/libvirt/images/rhel6.img" dev=sda12 ino=525859 scontext=system_u:system_r:svirt_t:s0:c338,c512 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1315593958.191:44870): avc:  denied  { write } for  pid=21797 comm="qemu-kvm" path="/var/lib/libvirt/images/rhel6.img" dev=sda12 ino=525859 scontext=system_u:system_r:svirt_t:s0:c338,c512 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1315593963.818:44871): avc:  denied  { write } for  pid=21797 comm="qemu-kvm" path="/var/lib/libvirt/images/rhel6.img" dev=sda12 ino=525859 scontext=system_u:system_r:svirt_t:s0:c338,c512 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1315593963.818:44872): avc:  denied  { write } for  pid=21797 comm="qemu-kvm" path="/var/lib/libvirt/images/rhel6.img" dev=sda12 ino=525859 scontext=system_u:system_r:svirt_t:s0:c338,c512 tcontext=system_u:object_r:virt_image_t:s0 tclass=file
type=AVC msg=audit(1315593963.820:44873): avc:  denied  { write } for  pid=21797 comm="qemu-kvm" path="/var/lib/libvirt/images/rhel6.img" dev=sda12 ino=525859 scontext=system_u:system_r:svirt_t:s0:c338,c512 tcontext=system_u:object_r:virt_image_t:s0 tclass=file

Alex->Daniel, I'm not sure whether these AVC denied are the same to you?

I haven't found any AVC denied on libvirt-0.9.4-11.el6.x86_64, so it's okay for me.

Daniel, if it's fine for you, I will move the bug to VERIFIED status.


Thanks,
Alex

Comment 5 Daniel Berrangé 2011-09-12 16:00:47 UTC

> # virsh start vr-rhel5u4-x86_64-kvm
> error: Failed to start domain vr-rhel5u4-x86_64-kvm
> error: internal error unsupported configuration: Read/write, exclusive access,
> disks were present, but no leases specified

There are two modes of dealing with sanlock, either you can manually add <lease> elements to the XML, or you can ask libvirt todo it automatically. This error messages shows that you do not have any <lease> elements, and automatic creation isn't enabled.

To fix this edit /etc/libvirt/qemu-sanlock.conf and enable 

   'auto_disk_leases = 1'

and make sure sanlock is running, and then restart libvirtd.

Comment 6 Alex Jia 2011-09-13 06:23:11 UTC

(In reply to comment #5)

Hi Daniel,
Thanks for your comment, but I can't still reproduce this issue, the following is my steps:

# lsmod | grep softdog
softdog                 3993  2 

# service wdmd start
Starting wdmd:                                             [  OK  ]

# service wdmd status
wdmd (pid 18610) is running...

# service sanlock start
Starting sanlock:                                          [  OK  ]

# service sanlock status
sanlock (pid 18649) is running...

# grep "^auto_disk_leases" /etc/libvirt/qemu-sanlock.conf
auto_disk_leases = 1

Notes, if enable lock_manager = "sanlock" in qemu.conf then restart libvirtd service, libvirtd will dead, this is known bug, so I haven't edited qemu.conf
followed by the step.

# service libvirtd restart
Stopping libvirtd daemon:                                  [  OK  ]
Starting libvirtd daemon:                                  [  OK  ]

# virsh start vr-rhel5u4-x86_64-kvm
Domain vr-rhel5u4-x86_64-kvm started

Notes, guest can be successfully stared.

# grep -i avc /var/log/audit/audit.log

Notes, without any "avc:  denied" error.


Version-Release number of selected component:

# uname -r
2.6.32-193.el6.x86_64

# rpm -q libvirt
libvirt-0.9.4-1.el6.x86_64

# rpm -q libvirt-lock-sanlock
libvirt-lock-sanlock-0.9.4-1.el6.x86_64


Alex

Comment 7 Daniel Berrangé 2011-09-13 11:20:44 UTC

Here is a better set of steps to reproduce with 0.9.4-7.el6


$ service libvirtd stop
$ yum install /usr/bin/augtool
$ augtool
augtool> set /files/etc/libvirt/qemu.conf/lock_manager "sanlock"
augtool> set /files/etc/libvirt/qemu-sanlock.conf/host_id 1
augtool> set /files/etc/libvirt/qemu-sanlock.conf/auto_disk_leases 1
augtool> set /files/etc/libvirt/qemu-sanlock.conf/disk_lease_dir "/var/lib/libvirt/sanlock"
augtool> save
Saved 1 file(s)
augtool> quit

$ echo 'SANLOCKOPTS="-w 0"' > /etc/sysconfig/sanlock
$ /etc/init.d/sanlock start
Starting sanlock:                                          [  OK  ]
$ ps -axuwf | grep sanlock
root      3953  2.0  5.8 325232 46748 ?        SLsl 12:13   0:00 sanlock daemon -w 0

$ service libvirtd start
Starting libvirtd daemon:                                  [  OK  ]
$ ps -axuwf | grep libvirtd
root      4093 10.5  0.8 387332  6816 ?        Sl   12:14   0:00 libvirtd --daemon


$ qemu-img create /var/lib/libvirt/images/disk.img 100M
Formatting '/var/lib/libvirt/images/disk.img', fmt=raw size=104857600 

$ cat > /root/demo1.xml <<EOF
<domain type='qemu'>
  <name>demo1</name>
  <memory>219200</memory>
  <vcpu>1</vcpu>
  <os>
    <type arch='x86_64'>hvm</type>
    <boot dev='cdrom'/>
  </os>
  <devices>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/disk.img'/>
      <target dev='vda' bus='virtio'/>
    </disk>
    <input type='mouse' bus='ps2'/>
    <graphics type='spice' autoport='yes' listen='0.0.0.0'/>
  </devices>
</domain>
EOF

$ virsh create demo1.xml
Domain demo1 created from demo1.xml

$ grep AVC /var/log/audit/audit.log 
type=AVC msg=audit(1315912779.785:86598): avc:  denied  { read write } for  pid=4276 comm="qemu-system-x86" path="socket:[2221414]" dev=sockfs ino=2221414 scontext=system_u:system_r:svirt_t:s0:c304,c446 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket

Comment 8 Alex Jia 2011-09-14 03:35:37 UTC

I can reproduce this issue on 6.2 Beta with libvirt-0.9.4-1.el6.x86_64 based on the above steps, however, there are some informations are different from above:

# virsh create demo1.xml
error: Failed to create domain from demo1.xml
error: internal error unable to set security context 'system_u:system_r:svirt_t:s0:c268,c763' on fd 3: Operation not permitted

Notes: can't successfully create a guest in here.

# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1315968980.836:47372): avc:  denied  { sigkill } for  pid=28772 comm="sanlock" scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=process

type=AVC msg=audit(1315969130.054:47390): avc:  denied  { kill } for  pid=28772 comm="sanlock" capability=5  scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=capability

Notes: sometimes, I can see another AVC denied except for first one.


The selinux issue still exists for libvirt-0.9.4-11.el6.x86_64, which isn't fine for me:

1. # service libvirtd restart

Raw Audit Messages
type=AVC msg=audit(1315969550.576:47483): avc:  denied  { kill } for  pid=28772 comm="sanlock" capability=5  scontext=unconfined_u:system_r:sanlock_t:s0 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=capability

2. # virsh create demo1.xml
error: Failed to create domain from demo1.xml
error: internal error Failed to open socket to sanlock daemon: Operation not permitted

Raw Audit Messages
type=AVC msg=audit(1315970963.788:47623): avc:  denied  { connectto } for  pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock" scontext=system_u:system_r:svirt_t:s0:c525,c976 tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket

Daniel, please confirm this on libvirt-0.9.4-11.el6.x86_64.


Alex

Comment 9 Daniel Berrangé 2011-09-14 08:18:42 UTC

These two audit messages you see:

type=AVC msg=audit(1315969550.576:47483): avc:  denied  { kill } for  pid=28772
comm="sanlock" capability=5  scontext=unconfined_u:system_r:sanlock_t:s0
tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=capability


type=AVC msg=audit(1315970963.788:47623): avc:  denied  { connectto } for 
pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock"
scontext=system_u:system_r:svirt_t:s0:c525,c976
tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket


are both SELinux policy bugs - can you file a new BZ for those against selinux-policy.

Comment 10 Alex Jia 2011-09-14 10:12:40 UTC

(In reply to comment #9)
> These two audit messages you see:
> 
> type=AVC msg=audit(1315969550.576:47483): avc:  denied  { kill } for  pid=28772
> comm="sanlock" capability=5  scontext=unconfined_u:system_r:sanlock_t:s0
> tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=capability

Sometimes, I can't reproduce this issue, so haven't filed a new bug about it.
> 
> 
> type=AVC msg=audit(1315970963.788:47623): avc:  denied  { connectto } for 
> pid=30081 comm="libvirtd" path="/var/run/sanlock/sanlock.sock"
> scontext=system_u:system_r:svirt_t:s0:c525,c976
> tcontext=unconfined_u:system_r:sanlock_t:s0 tclass=unix_stream_socket
> 
> 
https://bugzilla.redhat.com/show_bug.cgi?id=738188

Daniel, because I haven't seen "avc:  denied" from Comment 7 on libvirt-0.9.4-11.el6.x86_64 again, so whether I can move the bug to VERIFIED status?

Thanks,
Alex

Comment 11 Alex Jia 2011-09-15 02:27:37 UTC

There is a question in here, in fact, I met AVC issue was different from you on libvirt-0.9.4-1.el6.x86_64:

$ grep AVC /var/log/audit/audit.log 
type=AVC msg=audit(1315912779.785:86598): avc:  denied  { read write } for 
pid=4276 comm="qemu-system-x86" path="socket:[2221414]" dev=sockfs ino=2221414
scontext=system_u:system_r:svirt_t:s0:c304,c446
tcontext=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=unix_stream_socket

The above 'comm' is 'qemu-system-x86', I have never seen this, and my 'comm' is 'sanlock' (see comment 8), Daniel, maybe I need to retry it on 0.9.4-7.el6? however, IMHO, it should be same result if 0.9.4-7.el6 hasn't fixed these codes.

Except this, others are okay for me on libvirt-0.9.4-11.el6.x86_64, and the another 2 selinux issues are selinux-policy bugs not libvirt.


Thanks,
Alex

Comment 12 Alex Jia 2011-09-28 09:27:04 UTC

I retried this on rhel6.2 beta with libvirt-0.9.4-12.el6.x86_64, I haven't found AVC denied like Comment 7, so move the bug to VERIFIED status.

BTW, selinux-policy is 3.7.19-112.el6 version.

Comment 13 errata-xmlrpc 2011-12-06 11:28:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1513.html

Note You need to log in before you can comment on or make changes to this bug.