Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-113647

SELinux restricts systemd from creating vsock listeners

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.67-1.el9
    • No
    • Low
    • 1
    • rhel-security-selinux
    • 1
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 251029: 14
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • Requested
    • Automated
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      I'm trying to add a listener for sshd on vsock in RHEL 8 and 9. In RHEL 10 this is done by way of the systemd-ssh-generator, but this isn't supported on 8 and 9, so I'm trying to get the same functionality by adding a couple of extra units:

      {{
      ==> tt-sshd-vsock@.service <==
      [Unit]
      Description=OpenSSH per-connection server daemon
      Documentation=man:sshd(8) man:sshd_config(5)
      Wants=sshd-keygen.target
      After=sshd-keygen.target

      [Service]
      EnvironmentFile=-/etc/sysconfig/sshd
      ExecStart=-/usr/sbin/sshd -i $OPTIONS -o "AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"
      StandardInput=socket

      ==> tt-sshd-vsock.socket <==
      [Unit]
      Wants=ssh-access.target
      Before=ssh-access.target

      [Socket]
      ListenStream=vsock::22
      Accept=yes

      [Install]
      WantedBy=sockets.target
      }}

      After fighting my way through a ausearch and audit2allow and all of that jazz, I managed to come up with a policy patch that seems to fix things:

      {{
      module sshd_vsock 1.0;

      require {
      type init_t;
      type sshd_t;
      type sshd_net_t;
      class vsock_socket

      { create bind listen accept getattr read write getopt setopt ioctl name_bind }

      ;
      }

      allow init_t sshd_t:vsock_socket

      { create bind listen accept getattr setopt name_bind }

      ;
      allow sshd_t self:vsock_socket

      { read write getattr getopt setopt ioctl accept }

      ;
      allow sshd_net_t sshd_t:vsock_socket

      { read write getattr }

      ;
      }}

      What is the impact of this issue to you?

      This is about trying to get RHEL 8/9 images working with test.thing, a new testing tool that we're trying to use for integration testing in the Cockpit project. We use VMs for integration testing and we want to start talking to them using ssh-via-vsock.

      Please provide the package NVR for which the bug is seen:

      This is seen on RHEL 9.8.
      selinux-policy-38.1.65-1.el9.noarch
      selinux-policy-targeted-38.1.65-1.el9.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Add the two unit files above
      2. Enable the .socket unit
      3. Notice that the activation failed because systemd can't bind the socket
      4. Enable permissive mode, note that everything is working properly

      Expected results

      I think it makes sense that ssh-via-vsock support is missing since these releases have an older systemd version... I didn't expect that I'd have to fight so hard to add it. The systemd versions in both RHEL 8 and 9 support vsock listeners, but SELinux won't let you do it.

      Actual results

      You have to add a large custom policy to workaround the problem.

              rhn-support-zpytela Zdenek Pytela
              rh-ee-lis Allison Karlitskaya
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: