Bug 755535 - RFE: security: don't change owner/label unless it's needed for launching qemu (like for /dev/sr0)
RFE: security: don't change owner/label unless it's needed for launching qemu...
Status: NEW
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
unspecified
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Libvirt Maintainers
abrt_hash:fa0344e188cf72546e973ddb607...
: Reopened
: 795100 824137 826299 842831 871790 909590 1246247 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-21 07:18 EST by Ankur Sinha (FranciscoD)
Modified: 2016-04-18 21:12 EDT (History)
26 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-15 09:56:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ankur Sinha (FranciscoD) 2011-11-21 07:18:15 EST
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.1-2.fc16.x86_64
reason:         SELinux is preventing /lib/systemd/systemd-logind from 'setattr' accesses on the blk_file sr0.
time:           Mon Nov 21 17:47:57 2011

description:
:SELinux is preventing /lib/systemd/systemd-logind from 'setattr' accesses on the blk_file sr0.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that systemd-logind should be allowed setattr access on the sr0 blk_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep systemd-logind /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:systemd_logind_t:s0
:Target Context                system_u:object_r:virt_content_t:s0
:Target Objects                sr0 [ blk_file ]
:Source                        systemd-logind
:Source Path                   /lib/systemd/systemd-logind
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           systemd-37-3.fc16
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-55.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.1.1-2.fc16.x86_64 #1 SMP Mon Nov
:                              14 15:46:10 UTC 2011 x86_64 x86_64
:Alert Count                   2
:First Seen                    Sun 20 Nov 2011 23:31:06 IST
:Last Seen                     Sun 20 Nov 2011 23:31:28 IST
:Local ID                      c6520185-4c09-4717-9d0f-0f97a0a03b58
:
:Raw Audit Messages
:type=AVC msg=audit(1321812088.936:518): avc:  denied  { setattr } for  pid=1035 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1144 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file
:
:
:type=SYSCALL msg=audit(1321812088.936:518): arch=x86_64 syscall=setxattr success=yes exit=0 a0=b57b40 a1=3c1b005d2b a2=b58340 a3=2c items=0 ppid=1 pid=1035 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
:
:Hash: systemd-logind,systemd_logind_t,virt_content_t,blk_file,setattr
:
:audit2allow
:
:#============= systemd_logind_t ==============
:allow systemd_logind_t virt_content_t:blk_file setattr;
:
:audit2allow -R
:
:#============= systemd_logind_t ==============
:allow systemd_logind_t virt_content_t:blk_file setattr;
:
Comment 1 Daniel Walsh 2011-11-23 09:56:06 EST
We have the following

sesearch -A -s systemd_logind_t -c blk_file -p setattr --dontaudit
Found 1 semantic av rules:
   allow systemd_logind_t removable_device_t : blk_file setattr ; 


But I am not sure what we should do here, since this /dev/sr0 is being used by a virtual machine.
Comment 2 Miroslav Grepl 2012-03-15 09:56:14 EDT
Should be fixed in the latest release.
Comment 3 Sylvain Petreolle 2012-04-15 17:04:10 EDT
I got this alert today, has the new policy already been released ?
I have done all the updates for fc16 stable.
Comment 4 Miroslav Grepl 2012-04-16 05:50:23 EDT
Could you add your output of

$ rpm -q selinux-policy
Comment 5 Miroslav Grepl 2012-04-16 05:50:56 EDT
And also AVC msgs which you are getting.
Comment 6 Sylvain Petreolle 2012-04-16 11:12:27 EDT
Here are my version info and AVC msgs:

[syl@virt assembly]$ rpm -q selinux-policy
selinux-policy-3.10.0-80.fc16.noarch

Raw Audit Messages
type=AVC msg=audit(1334439780.545:17200): avc:  denied  { setattr } for  pid=6233 comm="systemd-logind" name="sr0" dev=devtmpfs ino=1191 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=blk_file


type=SYSCALL msg=audit(1334439780.545:17200): arch=x86_64 syscall=setxattr success=yes exit=0 a0=6623d0 a1=3828805d2b a2=664810 a3=24 items=0 ppid=1 pid=6233 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-logind exe=2F6C69622F73797374656D642F73797374656D642D6C6F67696E64202864656C6574656429 subj=system_u:system_r:systemd_logind_t:s0 key=(null)
Comment 7 Miroslav Grepl 2012-04-17 05:00:29 EDT
We have 

dev_setattr_all_chr_files(systemd_logind_t)

but this is used by a virtual machine I would dontaudit it.
Comment 8 Daniel Walsh 2012-04-17 16:59:21 EDT
The real bug is that libvirt relabeled the device to virt_conten_t rather then its default label, which should be 

matchpathcon /dev/sr0
/dev/sr0	system_u:object_r:removable_device_t:s0
Comment 9 Cole Robinson 2012-06-07 16:31:25 EDT
*** Bug 824137 has been marked as a duplicate of this bug. ***
Comment 10 Cole Robinson 2012-06-07 16:36:17 EDT
*** Bug 795100 has been marked as a duplicate of this bug. ***
Comment 11 Cole Robinson 2012-10-20 18:30:19 EDT
svirt guests are already allowed to read removable_device_t, right? So maybe the fix here is to not relabel devices we can already access. Not sure if that's considered insecure WRT svirt though, or if we can even determine the list of labels that we shouldn't need to change.

Besides that the only solutions I can see are 1) starting to restore label on disks marked <readonly/>, telling any affected users that their shared images need to have <shareable/>, or 2) 'that's what happens when you use svirt and a shared system device, sorry'

danpb any thoughts
Comment 12 Cole Robinson 2012-10-21 17:07:31 EDT
*** Bug 826299 has been marked as a duplicate of this bug. ***
Comment 13 Daniel Walsh 2012-10-24 15:57:54 EDT
Yes I agree a readonly device is probably going to be shared so we should not be relabeling it.
Comment 14 Miroslav Grepl 2013-02-11 07:31:30 EST
*** Bug 909590 has been marked as a duplicate of this bug. ***
Comment 15 Fedora End Of Life 2013-07-03 19:44:17 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 16 Cole Robinson 2013-07-11 14:16:52 EDT
*** Bug 871790 has been marked as a duplicate of this bug. ***
Comment 17 Cole Robinson 2013-07-11 14:24:21 EDT
Still not fixed, but this is basically a bigger problem that should be tracked upstream.
Comment 18 Cole Robinson 2016-04-14 16:04:50 EDT
*** Bug 1246247 has been marked as a duplicate of this bug. ***
Comment 19 Cole Robinson 2016-04-14 16:08:17 EDT
The proper fix IMO is for libvirt to not change the label for readonly disk images, if it's already labelled in such a way that we can already access it. I previously outlined on this upstream mailing list:

https://www.redhat.com/archives/libvir-list/2015-April/msg01400.html

Repurposing this bug to track that work
Comment 20 Cole Robinson 2016-04-14 16:09:13 EDT
*** Bug 842831 has been marked as a duplicate of this bug. ***
Comment 21 Kapoios Kanenas 2016-04-17 10:37:26 EDT
Description of problem:
Just inserted an CD ROM

Version-Release number of selected component:
selinux-policy-3.13.1-158.12.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.6-301.fc23.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.