-
Bug
-
Resolution: Not a Bug
-
Minor
-
rhel-10.0.beta
-
Yes
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
As subject
Please provide the package NVR for which bug is seen:
libvirt-10.5.0-1.el10.x86_64
qemu-kvm-9.0.0-4.el10.x86_64
libselinux-3.7-2.el10.x86_64
selinux-policy-40.13.5-1.el10.noarch
How reproducible:
100%
Steps to reproduce
- Start a domain
- Attach the unix socket serial device with invalid label "xxxx.test.test.s0"
Device XML:
<serial type="unix"> <target type="pci-serial"> <model name="pci-serial"/> </target> <source mode="bind" path="/tmp/test1.sock"> <seclabel model="selinux" relabel="yes"> <label>xxxx.test.test.s0</label> </seclabel> </source> </serial>
# virsh attach-device rhel /tmp/serial-selinux.xml
Device attached successfully
The type of selinux label is unlabeled_t:
srwxrwxr-x. 1 qemu qemu system_u:object_r:unlabeled_t:s0 0 Jul 24 04:43 /tmp/test1.sock
Expected results
error: unable to set security context 'xxxx.test.test.s0' on '/tmp/test1.sock': Invalid argument
Actual results
As above
Additional info
It blocked these 2 automation cases:
- rhel.svirt.selinux.seclabel.per_device.relabel_yes.label_invalid_fmt.serial.cold_plug
- rhel.svirt.selinux.seclabel.per_device.relabel_yes.label_invalid_fmt.serial.hot_plug
It works for RHEL9.5. versions:
libvirt-10.5.0-4.el9.x86_64
qemu-kvm-9.0.0-7.el9.x86_64
selinux-policy-38.1.42-1.el9.noarch
libselinux-3.6-1.el9.x86_64
I think the issue is caued by setfilecon_raw() returns 0:
(gdb) set follow-fork-mode child (gdb) b virSecuritySELinuxSetFileconImpl Breakpoint 1 at 0x7f0b02e81360: virSecuritySELinuxSetFileconImpl. (2 locations) (gdb) c Continuing. [Attaching after Thread 0x7f0affe006c0 (LWP 168072) fork to child process 168740] [New inferior 2 (process 168740)] [Detaching after fork from parent process 168069] [Inferior 1 (process 168069) detached] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [Switching to Thread 0x7f0affe006c0 (LWP 168740)]Thread 2.1 "rpc-virtqemud" hit Breakpoint 1.1, virSecuritySELinuxSetFileconImpl (path=path@entry=0x7f0ae8006380 "/tmp/test1.sock", tcon=tcon@entry=0x7f0ae8002e90 "xxxx.test.test.s0", privileged=true) at ../src/security/security_selinux.c:1297 1297 VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon); (gdb) n 1299 if (setfilecon_raw(path, (const char *)tcon) < 0) { (gdb) n virSecuritySELinuxSetFilecon (mgr=0x7f0a9c026470, path=0x7f0ae8006380 "/tmp/test1.sock", tcon=0x7f0ae8002e90 "xxxx.test.test.s0", remember=<optimized out>) at ../src/security/security_selinux.c:1401 1401 if (rc < 0) (gdb) l 1396 } 1397 } 1398 } 1399 1400 rc = virSecuritySELinuxSetFileconImpl(path, tcon, privileged); 1401 if (rc < 0) 1402 goto cleanup; 1403 1404 /* Do not try restoring the label if it was not changed 1405 * (setting it failed in a non-critical fashion) */ (gdb) p rc $1 = 0 (gdb) c Continuing. [Inferior 2 (process 168740) exited normally]
However, invoking setfilecon_raw() directly by python bindings works on both RHEL10 and RHEL9:
In [1]: import selinux In [2]: selinux.setfilecon_raw("/tmp/test1.sock", 'xxxx.test.test.s0') --------------------------------------------------------------------------- OSError Traceback (most recent call last) Cell In[2], line 1 ----> 1 selinux.setfilecon_raw("/tmp/test1.sock", 'xxxx.test.test.s0')File /usr/lib64/python3.12/site-packages/selinux/__init__.py:618, in setfilecon_raw(path, con) 617 def setfilecon_raw(path, con): --> 618 return _selinux.setfilecon_raw(path, con)OSError: [Errno 22] Invalid argument
