[Bug 1140151] New: AUDIT-0: libvirt: new polkit permissions for networkport
http://bugzilla.suse.com/show_bug.cgi?id=1140151 Bug ID: 1140151 Summary: AUDIT-0: libvirt: new polkit permissions for networkport Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jfehlig@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- libvirt 5.5.0 got some new polkit permissions for the networkport object via commit e69444e1793, which cause the following lint failures [ 732s] libvirt-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.libvirt.api.network-port.getattr (yes:yes:yes) [ 732s] libvirt-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.libvirt.api.network-port.read (yes:yes:yes) [ 732s] The package allows unprivileged users to carry out privileged operations [ 732s] without authentication. This could cause security problems if not done [ 732s] carefully. If the package is intended for inclusion in any SUSE product please [ 732s] open a bug report to request review of the package by the security team. [ 732s] Please refer to [ 732s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 732s] more information. [ 732s] [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network-port.create (no:no:no) [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network-port.delete (no:no:no) [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network-port.write (no:no:no) [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network.search-ports (no:no:no) [ 732s] The privilege is not listed in /etc/polkit-default-privs.* which makes it [ 732s] harder for admins to find. Furthermore polkit authorization checks can easily [ 732s] introduce security issues. If the package is intended for inclusion in any [ 732s] SUSE product please open a bug report to request review of the package by the [ 732s] security team. Please refer to [ 732s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 732s] more information. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c1
--- Comment #1 from James Fehlig
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c2
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c3
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c4
--- Comment #4 from James Fehlig
These rules don't need further auditing so far. I've whitelisted them via sr#713249.
Thanks! Will the whitelisting also flow to "older" distros, like SLE15 GA/SP1 and Leap 15.0/1? I'm sure you recall similar requests from me in the past, so that libvirt will build for targets other than Factory in our Virtualization devel project :-). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c5
--- Comment #5 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c6
--- Comment #6 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c7
--- Comment #7 from Matthias Gerstner
Thanks! Will the whitelisting also flow to "older" distros, like SLE15 GA/SP1 and Leap 15.0/1? I'm sure you recall similar requests from me in the past, so that libvirt will build for targets other than Factory in our Virtualization devel project :-).
Technically I'm not so happy to backport whitelistings to older codestreams when they're not actually needed there. I understand your request, however, and the limitation is on our side (how rpmlint and the whitelisting works). Hopefully we can improve on this in the future. Meanwhile I'll backport the whitelisting for 15 and 15.1 codestreams. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140151
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c9
--- Comment #9 from James Fehlig
Technically I'm not so happy to backport whitelistings to older codestreams when they're not actually needed there.
In previous bugs I've agreed with your distaste of the backports, and will do so again in this bug :-).
I understand your request, however, and the limitation is on our side (how rpmlint and the whitelisting works). Hopefully we can improve on this in the future.
Although not super sexy, it could make for a hackweek project.
Meanwhile I'll backport the whitelisting for 15 and 15.1 codestreams.
Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c10
--- Comment #10 from James Fehlig
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c11
--- Comment #11 from Matthias Gerstner
ISTR something else needing done for all this to work. Perhaps rebuild of rpmlint with new polkit-default-privs? The branched libvirt in my home project still fails to build even though the updated polkit-default-privs has landed in Factory.
Ouch! It seems like I've overlooked part of the new rules in comment 0. I've missed search-ports and getattr and read. getattr and read also have yes:yes:yes. I'll have too take a closer look. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c12
--- Comment #12 from Matthias Gerstner
Ouch! It seems like I've overlooked part of the new rules in comment 0. I've missed search-ports and getattr and read. getattr and read also have yes:yes:yes. I'll have too take a closer look.
So those yes:yes:yes actions are only for getting information about existing network ports. Shouldn't be too evil. I've added the missing actions and started the whole affair in OBS once more including maintenance updates for SLE-15 codestreams. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c13
--- Comment #13 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c15
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1140151
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c17
--- Comment #17 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c18
--- Comment #18 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c19
--- Comment #19 from Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
Swamp Workflow Management
http://bugzilla.suse.com/show_bug.cgi?id=1140151
http://bugzilla.suse.com/show_bug.cgi?id=1140151#c20
--- Comment #20 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com