From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: George Dunlap <dunlapg@umich.edu>,
olif.chapman@oracle.com, dgdegra@tycho.nsa.gov
Cc: xen-devel <xen-devel@lists.xenproject.org>,
M A Young <m.a.young@durham.ac.uk>
Subject: Re: Xen, systemd, and selinux
Date: Mon, 6 Jun 2016 13:01:39 -0400 [thread overview]
Message-ID: <20160606170139.GI21930@char.us.oracle.com> (raw)
In-Reply-To: <CAFLBxZb-o-LyTZKmgMQ9MyQOHgV-T9-0-Lb6_Vq38=7Syu8OPw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4770 bytes --]
On Mon, Jun 06, 2016 at 05:41:35PM +0100, George Dunlap wrote:
> Hey Michael,
CC-ing Olif and Daniel De Graaf,
>
> Not sure if you know, I've been maintaining the Xen4CentOS packages; I
> suspect given the similarities between our systems we're solving the
> same issues; particularly with the systemd/selinux combination.
>
> I've just ported my patchqueue up to 4.7-rc4, and it looks like the
> SELinux rules for xenstored -- at least the ones that come with CentOS
> 7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
> (which is deprecated), but not /dev/xen/privcmd.
>
> Do you know where the "upstream" for these rules are, and how to get
> them changed in a way that will trickle down eventually to CentOS?
You open a bug against selinux policies. For example see:
https://bugzilla.redhat.com/show_bug.cgi?id=1322625
https://bugzilla.redhat.com/show_bug.cgi?id=1334511
And (which is exactly what you are hitting):
Bug 1334115 - SELinux is preventing xenconsoled from 'ioctl' accesses on the chr_file /dev/xen/privcmd. (edit)
Since not all of them went in F24 one way you can work around
this is to have a new 'xen-tools-selinux' package that will
install the new SELinux policies.
However I have to confess I hadn't managed to fix the /dev/xen/privcmd.
It still pops up occasionaly. The fix 1334115 is:
dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0)
Which I tried to replicate (see xen.fc)
For OL7 I did:
semanage fcontext -a -t xen_device_t /dev/xen/privcmd
restorecon -Rv /dev/xen/privcmd
in the %post section of the spec file.
However oddly enough it does not always work and I am not sure
what is up with that.
Also for OL7 I needed to do a bunch of other policies (see attached)
to get all of them SELinux complains out.
This is what I did in the %build:
%if 0%{?el7}
make -f /usr/share/selinux/devel/Makefile xenstored_policy.pp
make -f /usr/share/selinux/devel/Makefile xenconsoled_policy.pp
make -f /usr/share/selinux/devel/Makefile xen.fc
%endif
and in %install:
%global modulenames xenstored_policy xenconsoled_policy
# Usage: _format var format
# Expand 'modulenames' into various formats as needed
# Format must contain '$x' somewhere to do anything useful
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
%_format MODULES $x.pp
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
install -m 0644 xen.fc %{buildroot}%{_datadir}/selinux/packages
And in the %post:
%post tools-selinux
%_format MODULES %{_datadir}/selinux/packages/$x.pp
%{_sbindir}/semodule -s %{selinuxtype} -i $MODULES
%{_sbindir}/semanage fcontext -a -t xen_device_t /dev/xen/privcmd
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%{_sbindir}/restorecon -Rv /dev/xen/privcmd
fi
%endif
CC-ing Olif.
>
> As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
> *if* it fails with a certain set of error codes, it tries
> /proc/xen/privcmd instead. Unfortunately, EACCES (the failure you get
> from SELinux denials) is not one of those error codes. If you just
> add that error code in to the list of acceptable error codes, then
> things work for me.
>
> Thanks,
> -George
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
[-- Attachment #2: xenstored_policy.te --]
[-- Type: text/plain, Size: 824 bytes --]
module xenstored_policy 1.0;
require {
type xenstored_t;
type device_t;
type sysctl_fs_t;
type initrc_t;
class unix_stream_socket accept;
class dir search;
class file { read open };
class chr_file { read write open };
}
#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;
[-- Attachment #3: xenstored_policy.te --]
[-- Type: text/plain, Size: 824 bytes --]
module xenstored_policy 1.0;
require {
type xenstored_t;
type device_t;
type sysctl_fs_t;
type initrc_t;
class unix_stream_socket accept;
class dir search;
class file { read open };
class chr_file { read write open };
}
#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;
[-- Attachment #4: xen.fc --]
[-- Type: text/plain, Size: 67 bytes --]
/dev/xen/privcmd -- gen_context(system_u:object_r:xen_device_t:s0)
[-- Attachment #5: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-06-06 17:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-06 16:41 Xen, systemd, and selinux George Dunlap
2016-06-06 17:01 ` Konrad Rzeszutek Wilk [this message]
2016-06-06 17:52 ` M A Young
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160606170139.GI21930@char.us.oracle.com \
--to=konrad.wilk@oracle.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=dunlapg@umich.edu \
--cc=m.a.young@durham.ac.uk \
--cc=olif.chapman@oracle.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).