Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1007309
Summary: | selinux unpredictably disallows access to socket | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Richard W.M. Jones <rjones> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-74.4.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-23 00:33:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 910269 |
Description
Richard W.M. Jones
2013-09-12 09:09:41 UTC
Labels of sockets etc: libguestfs: drwxr-xr-x. rjones rjones unconfined_u:object_r:user_tmp_t:s0 . libguestfs: drwxrwxr-x. rjones rjones system_u:object_r:tmp_t:s0 .. libguestfs: srwxrwxr-x. rjones rjones unconfined_u:object_r:user_tmp_t:s0 console.sock libguestfs: srwxrwxr-x. rjones rjones unconfined_u:object_r:user_tmp_t:s0 guestfsd.sock libguestfs: -rw-------. rjones rjones unconfined_u:object_r:user_tmp_t:s0 scratch.1 libguestfs: -rw-r--r--. rjones rjones unconfined_u:object_r:user_tmp_t:s0 snapshot2 libguestfs: -rwxrwxr-x. rjones rjones unconfined_u:object_r:user_tmp_t:s0 umask-check audit2allow suggests: #============= unconfined_t ============== allow unconfined_t svirt_socket_t:unix_stream_socket connectto; Which raises some questions ... Surely unconfined can connect to anything (that being the point of unconfined)? Any why does this work some of the time but then suddenly stop working? 180c1f664e6f1950cb721a9dab34c1261b07a321 fixes this in git. The problem is we did not have any attributes on svirt_socket_t, so we did not define any relationship between unconfined_t and svirt_socket_t. By adding a domain_type(svirt_socket_t) we define this as a label on a process (which is not quite correct) but it at least gets it to work. Execute the following to get it working on your system, until the update arrives. # cat myvirt.te policy_module(myvirt, 1.0) gen_require(` type svirt_socket_t; ') domain_type(svirt_socket_t) # make -f /usr/share/selinux/devel/Makefile # semodule -i myvirt.pp Why it was working in the past and does not now, I don't know, unless there was a new version of libvirt? Thanks, I can confirm that your workaround worked. I'm not sure why it just started happening. Although I didn't upgrade anything, it is possible that I restarted the libvirtd service, implicitly updating it to a newer version in the process. - - - As an aside, this is on a ppc64 box which has a few peculiarities of its own. It's big endian, 64 bit, and naked 'char' is unsigned (not signed as most other places). On this box, audit2allow prints: security: ebitmap: map size 256 does not match my size 64 (high bit was 216) I wonder if that's an endianness bug? Back ported. selinux-policy-3.12.1-74.4.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.4.fc19 Package selinux-policy-3.12.1-74.4.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.4.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17007/selinux-policy-3.12.1-74.4.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |