Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

2015-01-21 Thread Peter Colberg 
Dear Maintainer,

librados has been fixed upstream to avoid the execstack flag.

https://github.com/ceph/ceph/commit/5c0562610b059c9c1e2ab16c994749eba07f18aa

http://tracker.ceph.com/issues/10114

https://bugzilla.redhat.com/show_bug.cgi?id=1118504#c29

Could you reassign this bug to ensure it is fixed in jessie?

Regards,
Peter


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

2014-08-18 Thread Andreas Florath 
Hello Mika,

there is also a boolean 'virt_use_execmem' which does
a similar thing (allow execmem and execstack) but in a different
domain: setting this to on does also not change the things.

The attached patched solves the problem for me.
I'm not sure why the 'execstack' was not included in the appropriate rule
- execmem is already.
And also I'm not sure if this can be a general way to fix this:
I have not enough knowledge about libvirtd.

Nevertheless:
when applying the patch to the selinux-policy-default and installing
the new version, two more errors pop up:

Aug 18 10:31:22 nestor libvirtd[866]: An SELinux policy prevents this sender 
from sending this message to this recipient, 0 matched rules; 
type=method_call, sender=:1.4 (uid=0 pid=866 comm=/usr/sbin/libvirtd ) 
interface=org.freedesktop.login1.Manager member=CanSuspend error 
name=(unset) requested_reply=0 destination=org.freedesktop.login1 (uid=0 
pid=672 comm=/lib/systemd/systemd-logind )
Aug 18 10:31:22 nestor libvirtd[866]: Failed to get host power management 
capabilities
Aug 18 10:31:22 nestor libvirtd[866]: Unable to open /dev/net/tun, is tun 
module loaded?: No such file or directory

The first one is IMHO a minor problem (it's not nice, but it should run without 
this info).
The second one prevents VMs to be started (therefore it's IMHO an important 
one).

Should I create two new bug reports for these things? (This would IMHO be
better than discussing some problems in the same thread.)

Kind regards

Andre

===


diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index cb868d5..e1a36fb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -412,7 +412,7 @@ corenet_tcp_connect_all_ports(svirt_t)
 #

 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem execstack setexec setfscreate setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

2014-08-18 Thread Andreas Florath 
Hello!

I had a closer look at the libvirt-bin package:

libvirt_driver_storage.so depends on librados.so, which is known
to use execstack:
https://lintian.debian.org/tags/shlib-with-executable-stack.html

root@nestor:~# ldd /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so 
| grep rados
librados.so.2 = /usr/lib/x86_64-linux-gnu/librados.so.2 
(0x7f4dd575d000)
root@nestor:~# execstack -q /usr/lib/x86_64-linux-gnu/librados.so.2
X /usr/lib/x86_64-linux-gnu/librados.so.2

IMHO setting the execstack flag to allow virtd_t self:process is not a good 
idea.
Maybe one possibility is, to create a type for those 'special' libraries,
allow execstack for this type and add an appropriate transition?

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

2014-08-17 Thread Mika Pflüger 
Hi Andreas,

Andreas Florath an...@flonatel.org wrote:
 avc:
 denied  { execstack }

Which SELinux booleans have you set? Does allowing execstack help?
To learn about SELinux booleans, see booleans(8), to see the status of
all booleans, use getsebool -a.
To switch allow_execstack, use setsebool allow_execstack on.

Maybe this helps and it is merely a configuration/documentation issue.

Cheers,

Mika


-- 



signature.asc
Description: PGP signature

Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

2014-08-17 Thread Andreas Florath 
Hello Mika,

thanks for this hint: but it does not help.

Before I reported the bug, I run audit2allow
with the AVC. Typically, when a appropriate
boolean exists, this is printed.
In this case, there was no hint to a boolean, just:

#= virtd_t ==
allow virtd_t self:process execstack;


I set the boolean now with
  setsebool -P allow_execstack on
and rebooted. (IMHO the -P is needed here, because
the libvirtd is executed directly after boot.)

No changes:
root@nestor:~# getsebool allow_execstack
allow_execstack -- on
root@nestor:~# virsh -c qemu:///system list
error: failed to connect to the hypervisor
error: no connection driver available for qemu:///system

Kind regards

Andre


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org