Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing
Dear Maintainer, librados has been fixed upstream to avoid the execstack flag. https://github.com/ceph/ceph/commit/5c0562610b059c9c1e2ab16c994749eba07f18aa http://tracker.ceph.com/issues/10114 https://bugzilla.redhat.com/show_bug.cgi?id=1118504#c29 Could you reassign this bug to ensure it is fixed in jessie? Regards, Peter -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing
Hello Mika, there is also a boolean 'virt_use_execmem' which does a similar thing (allow execmem and execstack) but in a different domain: setting this to on does also not change the things. The attached patched solves the problem for me. I'm not sure why the 'execstack' was not included in the appropriate rule - execmem is already. And also I'm not sure if this can be a general way to fix this: I have not enough knowledge about libvirtd. Nevertheless: when applying the patch to the selinux-policy-default and installing the new version, two more errors pop up: Aug 18 10:31:22 nestor libvirtd[866]: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type=method_call, sender=:1.4 (uid=0 pid=866 comm=/usr/sbin/libvirtd ) interface=org.freedesktop.login1.Manager member=CanSuspend error name=(unset) requested_reply=0 destination=org.freedesktop.login1 (uid=0 pid=672 comm=/lib/systemd/systemd-logind ) Aug 18 10:31:22 nestor libvirtd[866]: Failed to get host power management capabilities Aug 18 10:31:22 nestor libvirtd[866]: Unable to open /dev/net/tun, is tun module loaded?: No such file or directory The first one is IMHO a minor problem (it's not nice, but it should run without this info). The second one prevents VMs to be started (therefore it's IMHO an important one). Should I create two new bug reports for these things? (This would IMHO be better than discussing some problems in the same thread.) Kind regards Andre === diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index cb868d5..e1a36fb 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -412,7 +412,7 @@ corenet_tcp_connect_all_ports(svirt_t) # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem execstack setexec setfscreate setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing
Hello! I had a closer look at the libvirt-bin package: libvirt_driver_storage.so depends on librados.so, which is known to use execstack: https://lintian.debian.org/tags/shlib-with-executable-stack.html root@nestor:~# ldd /usr/lib/libvirt/connection-driver/libvirt_driver_storage.so | grep rados librados.so.2 = /usr/lib/x86_64-linux-gnu/librados.so.2 (0x7f4dd575d000) root@nestor:~# execstack -q /usr/lib/x86_64-linux-gnu/librados.so.2 X /usr/lib/x86_64-linux-gnu/librados.so.2 IMHO setting the execstack flag to allow virtd_t self:process is not a good idea. Maybe one possibility is, to create a type for those 'special' libraries, allow execstack for this type and add an appropriate transition? Kind regards Andre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing
Hi Andreas, Andreas Florath an...@flonatel.org wrote: avc: denied { execstack } Which SELinux booleans have you set? Does allowing execstack help? To learn about SELinux booleans, see booleans(8), to see the status of all booleans, use getsebool -a. To switch allow_execstack, use setsebool allow_execstack on. Maybe this helps and it is merely a configuration/documentation issue. Cheers, Mika -- signature.asc Description: PGP signature
Bug#758464: [DSE-Dev] Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing
Hello Mika, thanks for this hint: but it does not help. Before I reported the bug, I run audit2allow with the AVC. Typically, when a appropriate boolean exists, this is printed. In this case, there was no hint to a boolean, just: #= virtd_t == allow virtd_t self:process execstack; I set the boolean now with setsebool -P allow_execstack on and rebooted. (IMHO the -P is needed here, because the libvirtd is executed directly after boot.) No changes: root@nestor:~# getsebool allow_execstack allow_execstack -- on root@nestor:~# virsh -c qemu:///system list error: failed to connect to the hypervisor error: no connection driver available for qemu:///system Kind regards Andre -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org