* Xen, systemd, and selinux
@ 2016-06-06 16:41 George Dunlap
2016-06-06 17:01 ` Konrad Rzeszutek Wilk
2016-06-06 17:52 ` M A Young
0 siblings, 2 replies; 3+ messages in thread
From: George Dunlap @ 2016-06-06 16:41 UTC (permalink / raw)
To: M A Young; +Cc: xen-devel
Hey Michael,
Not sure if you know, I've been maintaining the Xen4CentOS packages; I
suspect given the similarities between our systems we're solving the
same issues; particularly with the systemd/selinux combination.
I've just ported my patchqueue up to 4.7-rc4, and it looks like the
SELinux rules for xenstored -- at least the ones that come with CentOS
7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
(which is deprecated), but not /dev/xen/privcmd.
Do you know where the "upstream" for these rules are, and how to get
them changed in a way that will trickle down eventually to CentOS?
As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
*if* it fails with a certain set of error codes, it tries
/proc/xen/privcmd instead. Unfortunately, EACCES (the failure you get
from SELinux denials) is not one of those error codes. If you just
add that error code in to the list of acceptable error codes, then
things work for me.
Thanks,
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Xen, systemd, and selinux
2016-06-06 16:41 Xen, systemd, and selinux George Dunlap
@ 2016-06-06 17:01 ` Konrad Rzeszutek Wilk
2016-06-06 17:52 ` M A Young
1 sibling, 0 replies; 3+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-06-06 17:01 UTC (permalink / raw)
To: George Dunlap, olif.chapman, dgdegra; +Cc: xen-devel, M A Young
[-- Attachment #1: Type: text/plain, Size: 4770 bytes --]
On Mon, Jun 06, 2016 at 05:41:35PM +0100, George Dunlap wrote:
> Hey Michael,
CC-ing Olif and Daniel De Graaf,
>
> Not sure if you know, I've been maintaining the Xen4CentOS packages; I
> suspect given the similarities between our systems we're solving the
> same issues; particularly with the systemd/selinux combination.
>
> I've just ported my patchqueue up to 4.7-rc4, and it looks like the
> SELinux rules for xenstored -- at least the ones that come with CentOS
> 7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
> (which is deprecated), but not /dev/xen/privcmd.
>
> Do you know where the "upstream" for these rules are, and how to get
> them changed in a way that will trickle down eventually to CentOS?
You open a bug against selinux policies. For example see:
https://bugzilla.redhat.com/show_bug.cgi?id=1322625
https://bugzilla.redhat.com/show_bug.cgi?id=1334511
And (which is exactly what you are hitting):
Bug 1334115 - SELinux is preventing xenconsoled from 'ioctl' accesses on the chr_file /dev/xen/privcmd. (edit)
Since not all of them went in F24 one way you can work around
this is to have a new 'xen-tools-selinux' package that will
install the new SELinux policies.
However I have to confess I hadn't managed to fix the /dev/xen/privcmd.
It still pops up occasionaly. The fix 1334115 is:
dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0)
Which I tried to replicate (see xen.fc)
For OL7 I did:
semanage fcontext -a -t xen_device_t /dev/xen/privcmd
restorecon -Rv /dev/xen/privcmd
in the %post section of the spec file.
However oddly enough it does not always work and I am not sure
what is up with that.
Also for OL7 I needed to do a bunch of other policies (see attached)
to get all of them SELinux complains out.
This is what I did in the %build:
%if 0%{?el7}
make -f /usr/share/selinux/devel/Makefile xenstored_policy.pp
make -f /usr/share/selinux/devel/Makefile xenconsoled_policy.pp
make -f /usr/share/selinux/devel/Makefile xen.fc
%endif
and in %install:
%global modulenames xenstored_policy xenconsoled_policy
# Usage: _format var format
# Expand 'modulenames' into various formats as needed
# Format must contain '$x' somewhere to do anything useful
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
%_format MODULES $x.pp
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 0644 $MODULES %{buildroot}%{_datadir}/selinux/packages
install -m 0644 xen.fc %{buildroot}%{_datadir}/selinux/packages
And in the %post:
%post tools-selinux
%_format MODULES %{_datadir}/selinux/packages/$x.pp
%{_sbindir}/semodule -s %{selinuxtype} -i $MODULES
%{_sbindir}/semanage fcontext -a -t xen_device_t /dev/xen/privcmd
if %{_sbindir}/selinuxenabled ; then
%{_sbindir}/load_policy
%{_sbindir}/restorecon -Rv /dev/xen/privcmd
fi
%endif
CC-ing Olif.
>
> As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
> *if* it fails with a certain set of error codes, it tries
> /proc/xen/privcmd instead. Unfortunately, EACCES (the failure you get
> from SELinux denials) is not one of those error codes. If you just
> add that error code in to the list of acceptable error codes, then
> things work for me.
>
> Thanks,
> -George
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
[-- Attachment #2: xenstored_policy.te --]
[-- Type: text/plain, Size: 824 bytes --]
module xenstored_policy 1.0;
require {
type xenstored_t;
type device_t;
type sysctl_fs_t;
type initrc_t;
class unix_stream_socket accept;
class dir search;
class file { read open };
class chr_file { read write open };
}
#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;
[-- Attachment #3: xenstored_policy.te --]
[-- Type: text/plain, Size: 824 bytes --]
module xenstored_policy 1.0;
require {
type xenstored_t;
type device_t;
type sysctl_fs_t;
type initrc_t;
class unix_stream_socket accept;
class dir search;
class file { read open };
class chr_file { read write open };
}
#============= xenstored_t ==============
allow xenstored_t device_t:chr_file { read write open };
allow xenstored_t initrc_t:unix_stream_socket accept;
allow xenstored_t sysctl_fs_t:dir search;
allow xenstored_t sysctl_fs_t:file { read open };
#============= xenstored_t ==============
# src="xenstored_t" tgt="device_t" class="chr_file", perms="{ read write }"
# comm="oxenstored" exe="" path=""
allow xenstored_t device_t:chr_file { read write };
# src="xenstored_t" tgt="sysctl_fs_t" class="dir", perms="search"
# comm="oxenstored" exe="" path=""
allow xenstored_t sysctl_fs_t:dir search;
[-- Attachment #4: xen.fc --]
[-- Type: text/plain, Size: 67 bytes --]
/dev/xen/privcmd -- gen_context(system_u:object_r:xen_device_t:s0)
[-- Attachment #5: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Xen, systemd, and selinux
2016-06-06 16:41 Xen, systemd, and selinux George Dunlap
2016-06-06 17:01 ` Konrad Rzeszutek Wilk
@ 2016-06-06 17:52 ` M A Young
1 sibling, 0 replies; 3+ messages in thread
From: M A Young @ 2016-06-06 17:52 UTC (permalink / raw)
To: George Dunlap; +Cc: xen-devel
On Mon, 6 Jun 2016, George Dunlap wrote:
> Do you know where the "upstream" for these rules are, and how to get
> them changed in a way that will trickle down eventually to CentOS?
I got it fixed in very recent selinux-policy packages (see
https://bugzilla.redhat.com/show_bug.cgi?id=1334115 ) on Fedora. The only
automatic trickle down from Fedora to RHEL to CentOS that I know of is to
later releases so it will presumably be fixed in CentOS 8. I think there
is a greater chance of it being backported to earlier versions if it is
reported as a bug against whichever versions of RHEL you want it for on
bugzilla or via a support contract if you have one.
Michael Young
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-06 17:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-06 16:41 Xen, systemd, and selinux George Dunlap
2016-06-06 17:01 ` Konrad Rzeszutek Wilk
2016-06-06 17:52 ` M A Young
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).