Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1632231
Summary: | libvirt SELinux policy doesn't allow access to sockets in the home directory | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Richard W.M. Jones <rjones> | ||||||||||||
Component: | libvirt | Assignee: | Peter Krempa <pkrempa> | ||||||||||||
Status: | CLOSED WONTFIX | QA Contact: | mxie <mxie> | ||||||||||||
Severity: | high | Docs Contact: | |||||||||||||
Priority: | high | ||||||||||||||
Version: | 7.6 | CC: | jdenemar, jsuchane, juzhou, mxie, mzhan, ptoscano, rjones, tzheng, virt-bugs, xiaodwan, xuzhang, yalzhang, zili | ||||||||||||
Target Milestone: | rc | ||||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | x86_64 | ||||||||||||||
OS: | Unspecified | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | 1632220 | ||||||||||||||
: | 1642385 (view as bug list) | Environment: | |||||||||||||
Last Closed: | 2019-04-24 12:29:28 UTC | Type: | Bug | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | |||||||||||||||
Bug Blocks: | 910269, 1642385 | ||||||||||||||
Attachments: |
|
Description
Richard W.M. Jones
2018-09-24 12:13:03 UTC
Easier reproducer would be something like this, run from your home directory: $ nbdkit -U test.sock example1 $ guestfish --ro --format=raw -a nbd://?socket=`pwd`/test.sock run [...] Original error from libvirt: internal error: qemu unexpectedly closed the monitor: 2018-09-24T12:18:39.258463Z qemu-kvm: -drive file=/tmp/libguestfs1opfEu/overlay1.qcow2,format=qcow2,if=none,id=drive-scsi0-0-0-0,cache=unsafe: Could not open backing file: Failed to connect socket /home/rjones/test.sock: Permission denied [code=1 int1=-1] $ killall nbdkit The socket would have to be labeled with a different context, something like unconfined_u:unconfined_r:svirt_image_t:s0:c334,c931, however libvirt should normally take care of labeling it properly. Could you please share the XML passed to libvirt? Created attachment 1486404 [details]
log
For the XML see the attached log which contains XML + other information.
Created attachment 1486405 [details]
log2
Actually the socket is only mentioned indirectly since it's in the
backing file of the qcow2 overlay we create.
In the second log (attached) we're opening the socket directly so
it appears in the XML - this also fails.
Hi Richard, I note the error info of tps-srpmtest of nbdkit is little different with comment0, could you please confirm if they are same problem? The error info of rebuild test: Original error from libvirt: internal error: process exited while connecting to monitor: libvirt: error : cannot execute binary /usr/libexec/qemu-kvm: Permission denied [code=1 int1=-1] The error info of selinux test: #Below part is same with comment0# time->Mon Sep 24 08:11:49 2018 type=PROCTITLE msg=audit(1537791109.043:2138): proctitle=2F7573722F7362696E2F6C69627669727464002D2D74696D656F75743D3330 type=SYSCALL msg=audit(1537791109.043:2138): arch=c000003e syscall=59 success=no exit=-13 a0=7f03dc00bc00 a1=7f03dc00f620 a2=7f03dc009410 a3=8 items=0 ppid=1 pid=25729 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:unconfined_service_t:s0 key=(null) #But this part is different with comment0# type=AVC msg=audit(1537791109.043:2138): avc: denied { transition } for pid=25729 comm="libvirtd" path="/usr/libexec/qemu-kvm" dev="sda2" ino=131758 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:svirt_tcg_t:s0:c392,c975 tclass=process Yes it looks different. However I don't have the full log from the TPS test so I don't really know what the problem is there. Hi, Richard, I have attached the related log which are got from TPS test, please check, thanks! Created attachment 1486707 [details]
tps-nbdkit-1.2.6-1.el7.src.rpm-x86_64-rebuild.log
Created attachment 1486708 [details]
tps-selinux.log
Please ignore comments 7-11 as those relate to a different bug. Anyway, looks like while we are relabeling disk images including the whole backing chain, we don't do so if an nbd unix socket is in the backing chain. I wonder if this is related to https://github.com/libguestfs/nbdkit/commit/e3ac10ee0aee52a1f5a71bb7a084b359d7603872 Created attachment 1486741 [details]
0001-tests-tls-Use-selinux-label-flag-if-using-SVirt-RHBZ.patch
I think by far the most frustrating and weird thing about this bug is
that it only affects local rpmbuild. Even 'rhpkg local' builds are not
affected, and certainly building from the upstream git repo works just
fine.
Anyway I had the attached patch. However I can no longer test
to see if it fixes the problem or not.
See also bug 1698437 which is similar but slightly different. This bug is going to be addressed in next major release within existing cloned bug. |