[Bug 1228540] New: [SELinux] avc during boot for int-xenstore-d and qemu-system-i386
https://bugzilla.suse.com/show_bug.cgi?id=1228540 Bug ID: 1228540 Summary: [SELinux] avc during boot for int-xenstore-d and qemu-system-i386 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: conde.philippe@skynet.be QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 876364 --> https://bugzilla.suse.com/attachment.cgi?id=876364&action=edit output of commande ausearch I have a server with latest openSUSE tumbleweed and with KDE. I have a VM (with opensuse tumbleweed also) that I start with virtmgr when needed. I have activated selinux in permissive mode on the host following your advice: https://en.opensuse.org/Portal:SELinux/Setup#Tumbleweed hpprol2:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 hpprol2:~ # hpprol2:~ # zypper info selinux-policy Loading repository data... Reading installed packages... Information for package selinux-policy: --------------------------------------- Repository : security:SELinux Name : selinux-policy Version : 20240729-249.1 Arch : noarch Vendor : obs://build.opensuse.org/security:SELinux Installed Size : 28.3 KiB Installed : Yes Status : up-to-date Source package : selinux-policy-20240729-249.1.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration I boot the xen kernel and receive the errors during boot. as far as I see the problem is with directory /var/lib/xen which is labeled as hpprol2:~ # ls -dZ /var/lib/xen system_u:object_r:xend_var_lib_t:s0 /var/lib/xen hpprol2:~ # ls -lZ /var/lib/xen/* -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 209 Jul 30 10:24 /var/lib/xen/userdata-d.0.00000000-0000-0000-0000-000000000000.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 209 Jul 30 10:24 /var/lib/xen/userdata-d.1.00000000-0000-0000-0000-000000000000.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 Jul 5 22:43 /var/lib/xen/userdata-d.2.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2121 Jul 5 22:43 /var/lib/xen/userdata-d.2.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 Jul 5 12:01 /var/lib/xen/userdata-d.3.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2181 Jul 5 12:01 /var/lib/xen/userdata-d.3.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 Mar 17 11:47 /var/lib/xen/userdata-d.4.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2121 Mar 17 11:47 /var/lib/xen/userdata-d.4.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 Oct 20 2023 /var/lib/xen/userdata-d.8.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2121 Oct 20 2023 /var/lib/xen/userdata-d.8.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json I attach the ausearch -ts today -m avc output related to this problem version of xen-tools Information for package xen-tools: ---------------------------------- Repository : Main Repository (OSS) Name : xen-tools Version : 4.18.2_06-2.1 Arch : x86_64 Vendor : openSUSE Installed Size : 2.8 MiB Installed : Yes (automatically) Status : up-to-date Source package : xen-4.18.2_06-2.1.src Upstream URL : http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ Summary : Xen Virtualization: Control tools for domain 0 My vm défintion /etc/libvirt/libxl/opensusetumbleweed.xml <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh edit opensusetumbleweed or other application using the libvirt API. --> <domain type="xen"> <name>opensusetumbleweed</name> <uuid>c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad</uuid> <metadata> <libosinfo:libosinfo> <libosinfo:os id="http://opensuse.org/opensuse/tumbleweed"/> </libosinfo:libosinfo> </metadata> <memory unit="KiB">2097152</memory> <currentMemory unit="KiB">2097152</currentMemory> <vcpu placement="static">2</vcpu> <os> <type arch="x86_64" machine="xenfv">hvm</type> <loader type="rom">/usr/lib/xen/boot/hvmloader</loader> <boot dev="hd"/> </os> <features> <acpi/> <apic/> <pae/> </features> <clock offset="utc"/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/lib/xen/bin/qemu-system-i386</emulator> <disk type="block" device="disk"> <driver name="phy" type="raw"/> <source dev="/dev/disk/by-id/scsi-3600508b1001c21d488c454a46bc39f22-part1"/> <target dev="hda" bus="ide"/> <address type="drive" controller="0" bus="0" target="0" unit="0"/> </disk> <disk type="block" device="cdrom"> <driver name="qemu" type="raw"/> <source dev="/dev/sr0"/> <target dev="hdb" bus="ide"/> <readonly/> <address type="drive" controller="0" bus="0" target="0" unit="1"/> </disk> <controller type="xenbus" index="0"/> <controller type="ide" index="0"/> <interface type="bridge"> <mac address="00:16:3e:9c:13:3e"/> <source bridge="br0"/> </interface> <serial type="pty"> <target port="0"/> </serial> <console type="pty"> <target type="serial" port="0"/> </console> <input type="mouse" bus="ps2"/> <input type="keyboard" bus="ps2"/> <graphics type="vnc" port="-1" autoport="yes"> <listen type="address"/> </graphics> <video> <model type="vga" vram="16384" heads="1" primary="yes"/> </video> <memballoon model="xen"/> </devices> </domain> -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 Philippe Condé <conde.philippe@skynet.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[SELinux] avc during boot |[SELinux] avc during boot |for int-xenstore-d and |for init-xenstore-d and |qemu-system-i386 |qemu-system-i386 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c3 --- Comment #3 from Philippe Condé <conde.philippe@skynet.be> --- (In reply to Johannes Segitz from comment #2)
The directory listing for /var/lib/xen looks a bit weird. For me there are other directories in there. Is that all the content you see?
Is that the host itself running on XEN?
Please provide the output of rpm -qa | grep xen
Thanks Content of /var/lib/xen hpprol2:/var/lib/xen # ls -alZ total 64 drwxr-xr-x. 6 root root system_u:object_r:xend_var_lib_t:s0 4096 juil. 30 14:30 . drwxr-xr-x. 81 root root system_u:object_r:var_lib_t:s0 4096 juin 3 22:52 .. drwx------. 2 root root system_u:object_r:xend_var_lib_t:s0 4096 juil. 3 20:41 dump drwx------. 2 root root system_u:object_r:xen_image_t:s0 4096 juil. 3 20:41 images drwx------. 2 root root system_u:object_r:xend_var_lib_t:s0 4096 juil. 3 20:41 save -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 209 juil. 30 10:24 userdata-d.0.00000000-0000-0000-0000-000000000000.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 209 juil. 30 10:24 userdata-d.1.00000000-0000-0000-0000-000000000000.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 juil. 30 14:30 userdata-d.2.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2121 juil. 30 14:30 userdata-d.2.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 juil. 5 12:01 userdata-d.3.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2181 juil. 5 12:01 userdata-d.3.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 mars 17 11:47 userdata-d.4.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2121 mars 17 11:47 userdata-d.4.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2257 oct. 20 2023 userdata-d.8.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libvirt-xml -rw-------. 1 root root system_u:object_r:xend_var_lib_t:s0 2121 oct. 20 2023 userdata-d.8.c33dd6e1-0a2d-4a5a-9f8b-9f3d804840ad.libxl-json drwx------. 2 root root system_u:object_r:xend_var_lib_t:s0 4096 juil. 3 20:41 xenpaging hpprol2:/var/lib/xen # All the directories are empty
Yes this is on the xenserver dom0 hpprol2:~ # rpm -qa | grep xen patterns-server-xen_tools-20210330-8.3.x86_64 libvirt-daemon-xen-10.5.0-1.1.x86_64 xen-doc-html-4.18.2_06-2.1.x86_64 grub2-x86_64-xen-extras-2.12-22.1.noarch xen-libs-4.18.2_06-2.1.x86_64 grub2-x86_64-xen-2.12-22.1.noarch xen-tools-4.18.2_06-2.1.x86_64 xen-4.18.2_06-2.1.x86_64 patterns-server-xen_server-20210330-8.3.x86_64 hpprol2:~ # I use the disk sdc as home for the VM this disk is not mounted hpprol2:/var/lib/xen/xenpaging # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 300G 0 disk ├─sda1 8:1 0 12G 0 part [SWAP] ├─sda2 8:2 0 120G 0 part / └─sda4 8:4 0 168G 0 part /home sdb 8:16 0 300G 0 disk ├─sdb1 8:17 0 100G 0 part /srv ├─sdb2 8:18 0 100G 0 part /var ├─sdb3 8:19 0 50G 0 part /local └─sdb4 8:20 0 50G 0 part /opt sdc 8:32 0 238,1G 0 disk └─sdc1 8:33 0 238G 0 part sr0 11:0 1 1024M 0 rom sr1 11:1 1 1024M 0 rom Regards Philippe -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c5 --- Comment #5 from Philippe Condé <conde.philippe@skynet.be> --- (In reply to Johannes Segitz from comment #4)
I can't easily recreate this as I don't use xen. But it seems that our xenstore places files in /var/lib/xen instead of /var/lib/xenstored.
I had a quick look at the packaging and the sources, but it's not exactly a small package, so let me get the maintainer to chime in.
@Charles: Do you know why xenstore uses /var/lib/xen instead of /var/lib/xenstored
@Philippe: Please provide a listing of /var/lib/xenstored : ii is empty
Here the ouput of /var/lib/xenstored hpprol2:~ # ls -alZ /var/lib/xenstored total 8 drwxr-xr-x. 2 root root system_u:object_r:xenstored_var_lib_t:s0 4096 Jul 3 20:41 . drwxr-xr-x. 81 root root system_u:object_r:var_lib_t:s0 4096 Jun 3 22:52 .. hpprol2:~ # -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c7 --- Comment #7 from Philippe Condé <conde.philippe@skynet.be> --- (In reply to Johannes Segitz from comment #6)
I think that these userdata-d.0.00000000-0000-0000-0000-000000000000.libxl-json files should be in /var/lib/xenstored. They then would have xenstored_var_lib_t as a type and it should work, but lets wait for Charles
I didn't change anything in xen config. The VM was defined via virtmrg-2 after installing the VM tools via Yast. The only change that I did was on the boot of the dom0 server. This server has 16 GB memory and I allowed only 2 GB of memory for the xen VM using a "dom0 mem" parameter in grub /boot/xen-4.18.2_06-2.gz placeholder dom0_mem=13312M,max:13312M vga=gfx-1024x768x16 ${xen_rm_opts}. I have also see that starting the VM via virtmgr-2 gives a lot of avc. I 'll open an additional report for this. Regards Philippe -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c10 --- Comment #10 from Philippe Condé <conde.philippe@skynet.be> --- Created attachment 876577 --> https://bugzilla.suse.com/attachment.cgi?id=876577&action=edit full output of journalctl -b It is dom0 that is producing the errors. I attach here the output of journalctl : Denial messages are coming about line 3100. I'll also attach the output of dmesg but I did not see therein any error related to SELinux denial. Regards Philippe -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c11 --- Comment #11 from Philippe Condé <conde.philippe@skynet.be> --- Created attachment 876578 --> https://bugzilla.suse.com/attachment.cgi?id=876578&action=edit dmesg output -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c12 --- Comment #12 from Philippe Condé <conde.philippe@skynet.be> --- Created attachment 876579 --> https://bugzilla.suse.com/attachment.cgi?id=876579&action=edit output ausearch raw The related output of ausearch -ts today -m avc --raw. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c13 --- Comment #13 from Philippe Condé <conde.philippe@skynet.be> --- here the running processes related to xen hpprol2:/etc/sysconfig # ps -ef | grep xen | grep -v grep root 100 2 0 07:57 ? 00:00:00 [xenbus] root 101 2 0 07:57 ? 00:00:00 [xenwatch] root 114 2 0 07:57 ? 00:00:00 [xen-balloon] root 1374 1 0 07:58 ? 00:00:00 /usr/sbin/xenconsoled -i --log= --log-dir=/var/log/xen/console root 1390 1 0 07:58 ? 00:00:00 /usr/bin/qemu-system-i386 -xen-domid 0 -xen-attach -name dom0 -nographic -M xenpv -daemonize -monitor /dev/null -serial /dev/null -parallel /dev/null -nodefaults -no-user-config -pidfile /run/xen/qemu-dom0.pid root 2055 1 0 07:58 ? 00:00:00 /usr/sbin/virtxend --timeout 120 hpprol2:/etc/sysconfig # -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c15 --- Comment #15 from Philippe Condé <conde.philippe@skynet.be> --- I have generated via audit2allow different SElinux modules for 1. init-xenstore-d -> allow access to xen_var_lib_t for xenstored_t module my-init-xenstore-d 1.0; require { type xenstored_t; type xend_var_lib_t; class dir { add_name remove_name search write }; class file { create getattr lock open read rename unlink write }; } #============= xenstored_t ============== allow xenstored_t xend_var_lib_t:dir { add_name remove_name search write }; allow xenstored_t xend_var_lib_t:file { create getattr lock open read rename unlink write }; 2. xl -> allow access to xen_device_t for virsh_t module my-xl 1.0; require { type virsh_t; type xen_device_t; class chr_file { getattr ioctl map open read write }; } #============= virsh_t ============== allow virsh_t xen_device_t:chr_file { getattr ioctl map open read write }; I activated these two *.pp file After that there remain only denied for qemu-system-i386. See attached output. What seems strange is that the com value is truncated sometime to "tem-i386" and to qemu-system-i38. If I generate a module via audit2allow it allows access to io_ring_t, qemu_exec_t, xen-device-t and xenstored_var_run for init_t / this seems a bit large allow. Another things that I see is that the denied access for udevadm are gone regards -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c16 --- Comment #16 from Philippe Condé <conde.philippe@skynet.be> --- Created attachment 876860 --> https://bugzilla.suse.com/attachment.cgi?id=876860&action=edit ausearch with 2 additional modules installed (xl and init-xenstore-d) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c20 --- Comment #20 from Philippe Condé <conde.philippe@skynet.be> --- Created attachment 876874 --> https://bugzilla.suse.com/attachment.cgi?id=876874&action=edit New ausearch with xen 4.19.0 Today there was a new xen and I see 4 more denied related to comm="xen-9pfsd" in the xen changelog : "* Add a new 9pfs backend running as a daemon in dom0. First user is Xenstore-stubdom now being able to support full Xenstore trace capability." I suppose that some changes needed for this Many thanks in advance Philippe -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c26 --- Comment #26 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1228540) was mentioned in https://build.opensuse.org/request/show/1198426 Factory / selinux-policy -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c29 Philippe Condé <conde.philippe@skynet.be> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(carnold@suse.com) | --- Comment #29 from Philippe Condé <conde.philippe@skynet.be> --- Hello, Do you have any news for this problem? I still have "denial" errors at boot time for the dom0 server: hpprol2:~ # ausearch -ts boot | grep -i denied type=AVC msg=audit(1730402738.246:35): avc: denied { create } for pid=1419 comm="init-xenstore-d" name="userdata-l.1.00000000-0000-0000-0000-000000000000.domain-userdata-lock" scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xend_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730402738.253:36): avc: denied { read write open } for pid=1419 comm="init-xenstore-d" path="/var/lib/xen/userdata-l.1.00000000-0000-0000-0000-000000000000.domain-userdata-lock" dev="sdb2" ino=4719235 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xend_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730402738.253:37): avc: denied { lock } for pid=1419 comm="init-xenstore-d" path="/var/lib/xen/userdata-l.1.00000000-0000-0000-0000-000000000000.domain-userdata-lock" dev="sdb2" ino=4719235 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xend_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730402738.253:38): avc: denied { getattr } for pid=1419 comm="init-xenstore-d" path="/var/lib/xen/userdata-l.1.00000000-0000-0000-0000-000000000000.domain-userdata-lock" dev="sdb2" ino=4719235 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xend_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730402738.253:39): avc: denied { rename } for pid=1419 comm="init-xenstore-d" name="userdata-n.1.00000000-0000-0000-0000-000000000000.libxl-json" dev="sdb2" ino=4719263 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xend_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730402738.253:40): avc: denied { unlink } for pid=1419 comm="init-xenstore-d" name="userdata-d.1.00000000-0000-0000-0000-000000000000.libxl-json" dev="sdb2" ino=4719273 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xend_var_lib_t:s0 tclass=file permissive=1 hpprol2:~ # I installed the latest SELinux packages hpprol2:~ # zypper info selinux-policy Loading repository data... Reading installed packages... Information for package selinux-policy: --------------------------------------- Repository : security:SELinux Name : selinux-policy Version : 20241031-296.2 Arch : noarch Vendor : obs://build.opensuse.org/security:SELinux Installed Size : 25.0 KiB Installed : Yes Status : up-to-date Source package : selinux-policy-20241031-296.2.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Many thanks in advance Philippe -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c30 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(carnold@suse.com) --- Comment #30 from Cathy Hu <cathy.hu@suse.com> ---
Do you have any news for this problem?
not really, still waiting for charles to change the xen package, will ping him -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com