860519 – security: support for names on DAC labels

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 860519 - security: support for names on DAC labels

Summary: security: support for names on DAC labels

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Krempa
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-26 03:44 UTC by Wayne Sun
Modified:	2013-02-21 07:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:	libvirt-0.10.2-3.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	856951
Environment:
Last Closed:	2013-02-21 07:24:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0276	0	normal	SHIPPED_LIVE	Moderate: libvirt security, bug fix, and enhancement update	2013-02-20 21:18:26 UTC

Comment 2 Peter Krempa 2012-09-26 09:42:24 UTC

This bug requests adding support for the following usage pattern:

1. start domain with valid user:group
# virsh edit $domain
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:qemu</label>
  </seclabel>
...

2. start domain
# virsh start libvirt_test_api
error: Failed to start domain libvirt_test_api
error: internal error invalid argument: failed to parse DAC seclabel 'qemu:qemu' for domain 'libvirt_test_api'

The current code supports only numerical IDs for the DAC seclabel. A feature to add support for usernames was submitted for upstream review: http://www.redhat.com/archives/libvir-list/2012-September/msg01503.html and is waiting for a final review iteration after the author sends a new version.

Comment 4 Peter Krempa 2012-10-03 10:26:29 UTC

This feature was added upstream by:

commit 0d0a7cdcf5ee64922b5966370833e992afb09eba
Author: Marcelo Cerri <mhcerri.ibm.com>
Date:   Tue Oct 2 14:57:37 2012 -0300

    doc: update description about security labels on formatdomain.html
    
    This patch adds a brief description about labels for each security
    driver.

commit 60469dd10f97fcba60f0eeeae6965b83fbb9d652
Author: Marcelo Cerri <mhcerri.ibm.com>
Date:   Tue Oct 2 14:57:36 2012 -0300

    security: also parse user/group names instead of just IDs for DAC labels
    
    The DAC driver is missing parsing of group and user names for DAC labels
    and currently just parses uid and gid. This patch extends it to support
    names, so the following security label definition is now valid:
    
      <seclabel type='static' model='dac' relabel='yes'>
          <label>qemu:qemu</label>
          <imagelabel>qemu:qemu</imagelabel>
      </seclabel>
    
    When it tries to parse an owner or a group, it first tries to resolve it as
    a name, if it fails or it's an invalid user/group name then it tries to
    parse it as an UID or GID. A leading '+' can also be used for both owner and
    group to force it to be parsed as IDs, so the following example is also
    valid:
    
      <seclabel type='static' model='dac' relabel='yes'>
          <label>+101:+101</label>
          <imagelabel>+101:+101</imagelabel>
      </seclabel>
    
    This ensures that UID 101 and GUI 101 will be used instead of an user or
    group named "101".

$ git describe --tags
v0.10.2-89-g0d0a7cd

Comment 12 Jiri Denemark 2012-10-08 13:29:36 UTC

Moving back to ASSIGNED until additional fixes are ready.

Comment 15 Wayne Sun 2012-10-16 03:46:19 UTC

pkgs:
libvirt-0.10.2-3.el6.x86_64
qemu-kvm-rhev-0.12.1.2-2.317.el6.x86_64
kernel-2.6.32-279.el6.x86_64

steps:
1. edit domain add following xml:
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:qemu</label>
  </seclabel>
...

2. start domain
# virsh start libvirt_test_api
Domain libvirt_test_api started

# virsh dumpxml libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:qemu</label>
    <imagelabel>qemu:qemu</imagelabel>
  </seclabel>
...

3. add uid:gid with a plus
# virsh destroy libvirt_test_api
Domain libvirt_test_api destroyed

# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>+107:107</label>
  </seclabel>
...

Domain libvirt_test_api XML configuration edited.

4. start domain and check
# virsh start libvirt_test_api
Domain libvirt_test_api started

# virsh dumpxml libvirt_test_api
  <seclabel type='static' model='dac' relabel='yes'>
    <label>+107:107</label>
    <imagelabel>+107:107</imagelabel>
  </seclabel>

# ps aux|grep libvirt_test_api
qemu     17621 61.3  0.2 1456976 298024 ?      Sl   11:08   0:15 /usr/libexec/qemu-kvm -name libvirt_test_api -S -M rhel6.4.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -uuid 05867c1a-afeb-300e-e55e-2673391ae080 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/libvirt_test_api.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/libvirt-test-api,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=22,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=54:52:00:45:c3:8a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6

# ll -Z /var/lib/libvirt/images/libvirt-test-api 
-rw-r--r--. qemu qemu unconfined_u:object_r:svirt_image_t:s0:c75,c651 /var/lib/libvirt/images/libvirt-test-api

5. mix name with id with plus
# virsh destroy libvirt_test_api
Domain libvirt_test_api destroyed

# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:+107</label>
  </seclabel>
... 

6. start and check
# virsh start libvirt_test_api
Domain libvirt_test_api started

# virsh dumpxml libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:+107</label>
    <imagelabel>qemu:+107</imagelabel>
  </seclabel>
...

# ps aux|grep qemu
qemu     18100 11.3  0.2 1385196 289660 ?      Sl   11:14   0:15 /usr/libexec/qemu-kvm -name libvirt_test_api -S -M rhel6.4.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -uuid 05867c1a-afeb-300e-e55e-2673391ae080 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/libvirt_test_api.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/libvirt-test-api,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=22,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=54:52:00:45:c3:8a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6

# ll -Z /var/lib/libvirt/images/
-rw-r--r--. qemu qemu unconfined_u:object_r:svirt_image_t:s0:c7,c786 libvirt-test-api

7. test with non-exist group name or gid
# virsh destroy libvirt_test_api
Domain libvirt_test_api destroyed

# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:+1000</label>
  </seclabel>
... 

# virsh start libvirt_test_api
Domain libvirt_test_api started

# virsh dumpxml libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>qemu:+1000</label>
    <imagelabel>qemu:+1000</imagelabel>
  </seclabel>
...

# ll -Z /var/lib/libvirt/images/
-rw-r--r--. qemu 1000 unconfined_u:object_r:svirt_image_t:s0:c196,c515 libvirt-test-api

# ps aux|grep qemu
qemu     18437  4.7  0.2 1383140 330380 ?      Sl   11:18   0:15 /usr/libexec/qemu-kvm -name libvirt_test_api -S -M rhel6.4.0 -enable-kvm -m 1024 -smp 1,sockets=1,cores=1,threads=1 -uuid 05867c1a-afeb-300e-e55e-2673391ae080 -nodefconfig -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/libvirt_test_api.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/libvirt/images/libvirt-test-api,if=none,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=22,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=54:52:00:45:c3:8a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc 127.0.0.1:0 -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6


This is little unexpected here, group 1000 did not exist on system, but the domain can start and the img also with group 1000. Since gid not blocking starting domain here, this could be ok, but when with unexist group name later this fail, so there might have a problem.

# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>107:vdsm</label>
  </seclabel>
... 

Domain libvirt_test_api XML configuration edited.

# virsh start libvirt_test_api
error: Failed to start domain libvirt_test_api
error: internal error invalid argument: Failed to parse group 'vdsm'


8. test with invalid uid or user name
Now try with a noexist uid:
# virsh destroy libvirt_test_api
Domain libvirt_test_api destroyed

# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>+36:+1000</label>
  </seclabel>
...
Domain libvirt_test_api XML configuration edited.

# virsh start libvirt_test_api
error: Failed to start domain libvirt_test_api
error: internal error internal error getpwuid_r failed to retrieve data for uid '36'

# virsh edit libvirt_test_api
...
  <seclabel type='static' model='dac' relabel='yes'>
    <label>vdsm:+1000</label>
  </seclabel>
...
Domain libvirt_test_api XML configuration edited.

# virsh start libvirt_test_api
error: Failed to start domain libvirt_test_api
error: internal error invalid argument: Failed to parse user 'vdsm'

This is expected on user uid or name.

Hi Peter,

Can you help explain the problem in step 7 ? 

thanks!

Comment 16 Peter Krempa 2012-10-16 13:25:50 UTC

When using numeric ID's the uid/gid can be changed to any value even "non-existing" uids/gids. The kernel doesn't care about this behavior as it uses numeric ID's. 

When using string names, the names have to be converted to uid/gid at first. When doing this, the group must exist to retrieve uid/gid for it before doing the changes to images.

The behavior you encountered is therefore fully expected.

Comment 17 Wayne Sun 2012-10-17 03:30:36 UTC

(In reply to comment #16)
> When using numeric ID's the uid/gid can be changed to any value even
> "non-existing" uids/gids. The kernel doesn't care about this behavior as it
> uses numeric ID's. 
> 
> When using string names, the names have to be converted to uid/gid at first.
> When doing this, the group must exist to retrieve uid/gid for it before
> doing the changes to images.
> 
> The behavior you encountered is therefore fully expected.

Thanks to explain this. 
This is fixed.

Comment 18 errata-xmlrpc 2013-02-21 07:24:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0276.html

Note You need to log in before you can comment on or make changes to this bug.