Xen, systemd, and selinux

Xen, systemd, and selinux

[George Dunlap]

Hey Michael,

Not sure if you know, I've been maintaining the Xen4CentOS packages; I
suspect given the similarities between our systems we're solving the
same issues; particularly with the systemd/selinux combination.

I've just ported my patchqueue up to 4.7-rc4, and it looks like the
SELinux rules for xenstored -- at least the ones that come with CentOS
7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
(which is deprecated), but not /dev/xen/privcmd.

Do you know where the "upstream" for these rules are, and how to get
them changed in a way that will trickle down eventually to CentOS?

As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
*if* it fails with a certain set of error codes, it tries
/proc/xen/privcmd instead.  Unfortunately, EACCES (the failure you get
from SELinux denials) is not one of those error codes.  If you just
add that error code in to the list of acceptable error codes, then
things work for me.

Thanks,
 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Xen, systemd, and selinux

[Konrad Rzeszutek Wilk]

[-- Attachment #1: Type: text/plain, Size: 4770 bytes --]

On Mon, Jun 06, 2016 at 05:41:35PM +0100, George Dunlap wrote:
> Hey Michael,

CC-ing Olif and Daniel De Graaf,
> 
> Not sure if you know, I've been maintaining the Xen4CentOS packages; I
> suspect given the similarities between our systems we're solving the
> same issues; particularly with the systemd/selinux combination.
> 
> I've just ported my patchqueue up to 4.7-rc4, and it looks like the
> SELinux rules for xenstored -- at least the ones that come with CentOS
> 7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
> (which is deprecated), but not /dev/xen/privcmd.
> 
> Do you know where the "upstream" for these rules are, and how to get
> them changed in a way that will trickle down eventually to CentOS?

You open a bug against selinux policies. For example see:
https://bugzilla.redhat.com/show_bug.cgi?id=1322625
https://bugzilla.redhat.com/show_bug.cgi?id=1334511
And (which is exactly what you are hitting):

Bug 1334115 - SELinux is preventing xenconsoled from 'ioctl' accesses on the chr_file /dev/xen/privcmd. (edit)

Since not all of them went in F24 one way you can work around
this is to have a new 'xen-tools-selinux' package that will
install the new SELinux policies.

However I have to confess I hadn't managed to fix the /dev/xen/privcmd.
It still pops up occasionaly. The fix 1334115 is:

dev/xen/blktap.*      -c      gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn                -c      gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/gntdev                -c      gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/gntalloc      -c      gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/privcmd       -c      gen_context(system_u:object_r:xen_device_t,s0)


Which I tried to replicate (see xen.fc)

For OL7 I did:

semanage fcontext -a -t xen_device_t /dev/xen/privcmd
restorecon -Rv /dev/xen/privcmd 

in the %post section of the spec file.

However oddly enough it does not always  work and I am not sure
what is up with that.

Also for OL7 I needed to do a bunch of other policies (see attached)
to get all of them SELinux complains out.

This is what I did in the %build:
                                                                               
%if 0%{?el7}                                                                       
make -f /usr/share/selinux/devel/Makefile xenstored_policy.pp                      
make -f /usr/share/selinux/devel/Makefile xenconsoled_policy.pp                    
make -f /usr/share/selinux/devel/Makefile xen.fc                                   
%endif      

and in %install:

%global modulenames xenstored_policy xenconsoled_policy                         
# Usage: _format var format                                                     
#   Expand 'modulenames' into various formats as needed                         
#   Format must contain '$x' somewhere to do anything useful                    
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
                                                                                

                                                                        
%_format MODULES $x.pp                                                          
install -d %{buildroot}%{_datadir}/selinux/packages                             
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages               
install -m 0644 xen.fc %{buildroot}%{_datadir}/selinux/packages       


And in the %post:

%post tools-selinux                                                             
%_format MODULES %{_datadir}/selinux/packages/$x.pp                             
%{_sbindir}/semodule -s %{selinuxtype} -i $MODULES                              
%{_sbindir}/semanage fcontext -a -t xen_device_t /dev/xen/privcmd               
if %{_sbindir}/selinuxenabled ; then                                            
        %{_sbindir}/load_policy                                                 
    %{_sbindir}/restorecon -Rv /dev/xen/privcmd                                 
fi                                                                              
%endif                                                                 

CC-ing Olif.

> 
> As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
> *if* it fails with a certain set of error codes, it tries
> /proc/xen/privcmd instead.  Unfortunately, EACCES (the failure you get
> from SELinux denials) is not one of those error codes.  If you just
> add that error code in to the list of acceptable error codes, then
> things work for me.
> 
> Thanks,
>  -George
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel

[-- Attachment #2: xenstored_policy.te --]
[-- Type: text/plain, Size: 824 bytes --]


module xenstored_policy 1.0;

require {
	type xenstored_t;
	type device_t;
	type sysctl_fs_t;
	type initrc_t;
	class unix_stream_socket accept;
	class dir search;
	class file { read open };
	class chr_file { read write open };
}

#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;

[-- Attachment #3: xenstored_policy.te --]
[-- Type: text/plain, Size: 824 bytes --]


module xenstored_policy 1.0;

require {
	type xenstored_t;
	type device_t;
	type sysctl_fs_t;
	type initrc_t;
	class unix_stream_socket accept;
	class dir search;
	class file { read open };
	class chr_file { read write open };
}

#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;

[-- Attachment #4: xen.fc --]
[-- Type: text/plain, Size: 67 bytes --]

/dev/xen/privcmd	--	gen_context(system_u:object_r:xen_device_t:s0)

[-- Attachment #5: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Xen, systemd, and selinux

[M A Young]

On Mon, 6 Jun 2016, George Dunlap wrote:

> Do you know where the "upstream" for these rules are, and how to get
> them changed in a way that will trickle down eventually to CentOS?

I got it fixed in very recent selinux-policy packages (see 
https://bugzilla.redhat.com/show_bug.cgi?id=1334115 ) on Fedora. The only 
automatic trickle down from Fedora to RHEL to CentOS that I know of is to 
later releases so it will presumably be fixed in CentOS 8. I think there 
is a greater chance of it being backported to earlier versions if it is 
reported as a bug against whichever versions of RHEL you want it for on 
bugzilla or via a support contract if you have one.

	Michael Young

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel