Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50383

Success to attach a unix socket serial with invalid selinux label

    • Yes
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      As subject

      Please provide the package NVR for which bug is seen:

      libvirt-10.5.0-1.el10.x86_64
      qemu-kvm-9.0.0-4.el10.x86_64
      libselinux-3.7-2.el10.x86_64
      selinux-policy-40.13.5-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Start a domain
      2. Attach the unix socket serial device with invalid label "xxxx.test.test.s0"

      Device XML:

      <serial type="unix">
        <target type="pci-serial">
          <model name="pci-serial"/>
        </target>
        <source mode="bind" path="/tmp/test1.sock">
          <seclabel model="selinux" relabel="yes">
            <label>xxxx.test.test.s0</label>
          </seclabel>
        </source>
      </serial>
      

      # virsh attach-device rhel /tmp/serial-selinux.xml 
      Device attached successfully

       

      The type of selinux label is unlabeled_t:

      srwxrwxr-x. 1 qemu qemu system_u:object_r:unlabeled_t:s0 0 Jul 24 04:43 /tmp/test1.sock

      Expected results

      error: unable to set security context 'xxxx.test.test.s0' on '/tmp/test1.sock': Invalid argument

      Actual results

      As above

      Additional info

      It blocked these 2 automation cases:

       

      It works for RHEL9.5. versions:

      libvirt-10.5.0-4.el9.x86_64
      qemu-kvm-9.0.0-7.el9.x86_64
      selinux-policy-38.1.42-1.el9.noarch
      libselinux-3.6-1.el9.x86_64

       

      I think the issue is caued by setfilecon_raw() returns 0:

      (gdb) set follow-fork-mode child 
      (gdb) b virSecuritySELinuxSetFileconImpl
      Breakpoint 1 at 0x7f0b02e81360: virSecuritySELinuxSetFileconImpl. (2 locations)
      (gdb) c
      Continuing.
      [Attaching after Thread 0x7f0affe006c0 (LWP 168072) fork to child process 168740]
      [New inferior 2 (process 168740)]
      [Detaching after fork from parent process 168069]
      [Inferior 1 (process 168069) detached]
      [Thread debugging using libthread_db enabled]
      Using host libthread_db library "/lib64/libthread_db.so.1".
      [Switching to Thread 0x7f0affe006c0 (LWP 168740)]Thread 2.1 "rpc-virtqemud" hit Breakpoint 1.1, virSecuritySELinuxSetFileconImpl (path=path@entry=0x7f0ae8006380 "/tmp/test1.sock", 
          tcon=tcon@entry=0x7f0ae8002e90 "xxxx.test.test.s0", privileged=true) at ../src/security/security_selinux.c:1297
      1297        VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
      (gdb) n
      1299        if (setfilecon_raw(path, (const char *)tcon) < 0) {
      (gdb) n
      virSecuritySELinuxSetFilecon (mgr=0x7f0a9c026470, path=0x7f0ae8006380 "/tmp/test1.sock", tcon=0x7f0ae8002e90 "xxxx.test.test.s0", remember=<optimized out>)
          at ../src/security/security_selinux.c:1401
      1401        if (rc < 0)
      (gdb) l
      1396                }
      1397            }
      1398        }
      1399
      1400        rc = virSecuritySELinuxSetFileconImpl(path, tcon, privileged);
      1401        if (rc < 0)
      1402            goto cleanup;
      1403
      1404        /* Do not try restoring the label if it was not changed
      1405         * (setting it failed in a non-critical fashion) */
      (gdb) p rc
      $1 = 0
      (gdb) c
      Continuing.
      [Inferior 2 (process 168740) exited normally]

      However, invoking setfilecon_raw() directly by python bindings works on both RHEL10 and RHEL9:

      In [1]: import selinux
      In [2]: selinux.setfilecon_raw("/tmp/test1.sock", 'xxxx.test.test.s0')
      ---------------------------------------------------------------------------
      OSError                                   Traceback (most recent call last)
      Cell In[2], line 1
      ----> 1 selinux.setfilecon_raw("/tmp/test1.sock", 'xxxx.test.test.s0')File /usr/lib64/python3.12/site-packages/selinux/__init__.py:618, in setfilecon_raw(path, con)
          617 def setfilecon_raw(path, con):
      --> 618     return _selinux.setfilecon_raw(path, con)OSError: [Errno 22] Invalid argument 

              rhn-support-zpytela Zdenek Pytela
              hanhansolo Han Han
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: