Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2064274 - selinux-policy default has changed to disallow executable stacks by default
Summary: selinux-policy default has changed to disallow executable stacks by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 9.0
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Jan Fiala
URL:
Whiteboard:
: 2067494 2068609 (view as bug list)
Depends On:
Blocks: TRACKER-bugs-affecting-libguestfs 2013629 2055822 2067494
TreeView+ depends on / blocked
 
Reported: 2022-03-15 13:18 UTC by Xiaodai Wang
Modified: 2022-09-06 09:11 UTC (History)
21 users (show)

Fixed In Version: selinux-policy-34.1.28-1.el9_0
Doc Type: Known Issue
Doc Text:
.Default SELinux policy allows unconfined executables to make their stack executable The default state of the `selinuxuser_execstack` boolean in the SELinux policy is on, which means that unconfined executables can make their stack executable. Executables should not use this option, and it might indicate poorly coded executables or a possible attack. However, due to compatibility with other tools, packages, and third-party products, Red Hat cannot change the value of the boolean in the default policy. If your scenario does not depend on such compatibility aspects, you can turn the boolean off in your local policy by entering the command `setsebool -P selinuxuser_execstack off`.
Clone Of:
: 2067494 (view as bug list)
Environment:
Last Closed: 2022-05-17 15:50:23 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
SELinux booleans after fresh RHEL 9 install (getsebool -a) (deleted)
2022-03-18 08:38 UTC, Richard W.M. Jones 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-115609 0 None None None 2022-03-15 13:41:30 UTC
Red Hat Product Errata RHBA-2022:3918 0 None None None 2022-05-17 15:50:42 UTC

Internal Links: 2055822

Description Xiaodai Wang 2022-03-15 13:18:40 UTC 
Description of problem:
Cannot convert vmware guest by vddk6.5

Version-Release number of selected component (if applicable):
virt-v2v-1.45.99-1.el9.x86_64
nbdkit-server-1.28.5-1.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
Convert a wmware guest by vddk6.5.

# virt-v2v -i libvirt -ic vpx://root@<ip>/data/<ip>/?no_verify=1 -o null Auto-esx6.0-rhel7.7-raid -it vddk -io vddk-libdir=/root/vddk_libdir/latest -io vddk-thumbprint=xxxx -on Auto-esx6.0-rhel7.7-raid3191 -ip /root/v2v_vpx_passwd
[   0.0] Setting up the source: -i libvirt -ic vpx://root@<ip>/data/<ip>/?no_verify=1 -it vddk Auto-esx6.0-rhel7.7-raid
nbdkit: error: /root/vddk_libdir/vddklib_1/lib64/libvixDiskLib.so.7: cannot open shared object file: No such file or directory

If 'lib64/libvixDiskLib.so.7' is located on a non-standard path you may need to
set libdir=/path/to/vmware-vix-disklib-distrib.

See nbdkit-vddk-plugin(1) man page section "LIBRARY LOCATION" for details.

virt-v2v: error: nbdkit did not start up.  There may be errors printed by 
nbdkit above.

If the messages above are not sufficient to diagnose the problem then add 
the ‘virt-v2v -v -x’ options and examine the debugging output 
carefully.

If reporting bugs, run virt-v2v with debugging enabled and include the 
complete output:

  virt-v2v -v -x [...]

Actual results:


Expected results:


Additional info:
Comment 1 Richard W.M. Jones 2022-03-15 13:27:32 UTC 
A simple reproducer for this is:

# qemu-img create -f vmdk test.vmdk 10M
# nbdkit -fv vddk libdir=/root/vddk_libdir/vddklib_1 file=test.vmdk

where /root/vddk_libdir/vddklib_1 points to VDDK 6.5.

It fails with:

nbdkit: error: /root/vddk_libdir/vddklib_1/lib64/libvixDiskLib.so.7: cannot open shared object file: No such file or directory

(The error message is a bit inaccurate.  What it means is it tried to
load libvixDiskLib.so.7 and then libvixDiskLib.so.6, and both failed,
but it only printed libvixDiskLib.so.7 in the error message)

The real reason for the failure is an SELinux policy decision:

  time->Tue Mar 15 07:51:56 2022
  type=PROCTITLE msg=audit(1647345116.291:4113): proctitle=6E62646B6974002D66760
07664646B006C69626469723D2F726F6F742F7664646B5F6C69626469722F7664646B6C69625F310
066696C653D746573742E766D646B
  type=SYSCALL msg=audit(1647345116.291:4113): arch=c000003e syscall=10 success=
no exit=-13 a0=7ffd79c29000 a1=1000 a2=1000007 a3=7f1bcc2ab000 items=0
ppid=121095 pid=122597 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts2 ses=8 comm="nbdkit" exe="/usr/sbin/nbdkit"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(1647345116.291:4113): avc:  denied  { execstack } for  pid=
122597 comm="nbdkit"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
permissive=0

audit2allow suggests:

  #!!!! This avc can be allowed using the boolean 'selinuxuser_execstack'       
  allow unconfined_t self:process execstack;

Enabling that boolean fixes the problem.

However the boolean seems to have changed in RHEL 9.0 very recently, and it
will undoubtedly break many other things, so this seems wrong.

See also: https://bugzilla.redhat.com/show_bug.cgi?id=2013629
Comment 3 Richard W.M. Jones 2022-03-15 14:02:47 UTC 
See also bug 2055822 which seems to be the root cause.
Comment 5 Richard W.M. Jones 2022-03-18 08:37:28 UTC 
I'm setting this bug as a blocker because the default has clearly
changed to prevent executable stacks.  I just installed a fresh RHEL 9
from Beaker (RHEL-9.0.0-20220318.d.0), then I installed VDDK 6.7.0
and nbdkit, then I ran:

$ qemu-img create test.vmdk -f vmdk 100M
$ nbdkit vddk libdir=~/vddk-6.7.0/vmware-vix-disklib-distrib file=test.vmdk --run 'nbdinfo $uri'

which failed with the characteristic problem with executable stacks.
With later versions of VDDK (which do not have executable stack) this works.

This is an unannounced ABI change.
Comment 7 Richard W.M. Jones 2022-03-18 08:38:29 UTC 
Created attachment 1866564 [details]
SELinux booleans after fresh RHEL 9 install (getsebool -a)
Comment 13 Zdenek Pytela 2022-03-22 11:14:31 UTC 
The execstack permission is required when a process calls the mprotect syscall
on the stack to mark it executable. Such a permission should usually not be
needed as it is a potential security problem, so there are, in general, good
reasons to have it disabled by default. Request for it may indicate a security
issue with the package or library code.

BZ#2055822, cloned from RHEL 8 BZ#2053815, was accepted by SELinux team and the
fix delivered as a part of the latest RHEL 9 selinux-policy build to improve
default security footprint of a fresh RHEL system.
The build exists since 2022-02-24, verified 2022-02-28, that is in time for RHEL 9.0 GA.
Surely it was quite late in the RHEL 9 development stage, but evaluated as so
important thas it was accepted rather for 9.0 GA, than make such a change during
prodcution phase. The only reason is that the initial bug was reported not long ago.

The change was actually a revert of a 2012 dist-git commit which changed the git
default for selinuxuser_execmod and selinuxuser_execstack without any rationale.
Our testing suite covers known scenarios with Red Hat provided software, so the
change passed testing (see #c9) without noticing a problem. It turned out that
there are scenarios which depend on the permission for user executed commands,
therefore the change introduced in bz#2055822 will now be partially reverted,
still leaving the administrators the option to disable related booleans.

Awareness of the impact of the change is one of the outcomes, surely we are
sorry for any inconvinience it may have caused.
BZ#2013629 may look similar, but different and will be closed wontfix.
Comment 19 Zdenek Pytela 2022-03-28 06:47:49 UTC 
*** Bug 2068609 has been marked as a duplicate of this bug. ***
Comment 24 Zdenek Pytela 2022-04-05 13:22:35 UTC 
*** Bug 2067494 has been marked as a duplicate of this bug. ***
Comment 30 errata-xmlrpc 2022-05-17 15:50:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918
Note You need to log in before you can comment on or make changes to this bug.