Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65502

[rhel-9.6] libguestfs + passt + root + direct mode fails with a permission denied error

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.6
    • rhel-9.6
    • passt
    • Yes
    • Critical
    • rhel-sst-virtualization-networking
    • ssg_virtualization
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      libguestfs + RHEL 9.6 + passt + root + direct mode fails with a permission denied error.

      original issue is: https://issues.redhat.com/browse/RHEL-39669

      What is the impact of this issue to you?

      virt-customize command failed if use direct mode.

      Please provide the package NVR for which the bug is seen:

      RHEL-9.6.0-20241103.2

      kernel-5.14.0-522.el9.x86_64

      libguestfs-1.54.0-2.el9.x86_64

      passt-0^20240806.gee36266-2.el9

      How reproducible is this bug?: 100%

      Steps to reproduce

      [root@dell-per750-66 topo]# rpm -q passt
passt-0^20240806.gee36266-2.el9.x86_64
[root@dell-per750-66 topo]# yum provides passt
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use "rhc" or "subscription-manager" to register.
Last metadata expiration check: 2:54:51 ago on Wed 06 Nov 2024 05:08:36 AM EST.
passt-0^20240806.gee36266-2.el9.x86_64 : User-mode networking daemons for virtual machines and namespaces
Repo        : @System
Matched from:
Provide    : passt = 0^20240806.gee36266-2.el9
passt-0^20240806.gee36266-2.el9.x86_64 : User-mode networking daemons for virtual machines and namespaces
Repo        : beaker-AppStream
Matched from:
Provide    : passt = 0^20240806.gee36266-2.el9
[root@dell-per750-66 topo]# cat /etc/yum.repos.d/beaker-AppStream.repo 
[beaker-AppStream]
name=beaker-AppStream
baseurl=http://download.eng.pek2.redhat.com/rhel-9/composes/RHEL-9/RHEL-9.6.0-20241103.2/compose/AppStream/x86_64/os
enabled=1
gpgcheck=0
skip_if_unavailable=1
[root@dell-per750-66 topo]#  LIBGUESTFS_BACKEND=direct guestfish --network -a /dev/null run
[root@dell-per750-66 topo]# tail -f /var/log/audit/audit.log 
type=PROCTITLE msg=audit(1730898130.207:6370): proctitle=7061737374002D2D6F6E652D6F6666002D2D736F636B6574002F746D702F6C6962677565737466734B51736A50642F70617373742E736F636B002D2D706964002F746D702F6C6962677565737466734B51736A50642F7061737374322E706964002D2D61646472657373003136392E3235342E322E3135002D2D6E65746D6173
type=AVC msg=audit(1730898130.207:6371): avc:  denied  { search } for  pid=314716 comm="passt.avx2" name="mc" dev="dm-0" ino=608820 scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1730898130.207:6371): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5587e2251a60 a2=80000 a3=0 items=0 ppid=314710 pid=314716 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1730898130.207:6371): proctitle=7061737374002D2D6F6E652D6F6666002D2D736F636B6574002F746D702F6C6962677565737466734B51736A50642F70617373742E736F636B002D2D706964002F746D702F6C6962677565737466734B51736A50642F7061737374322E706964002D2D61646472657373003136392E3235342E322E3135002D2D6E65746D6173
type=AVC msg=audit(1730898147.045:6372): avc:  denied  { search } for  pid=314762 comm="passt.avx2" name="mc" dev="dm-0" ino=608820 scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1730898147.045:6372): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562ab99ada60 a2=80000 a3=0 items=0 ppid=314756 pid=314762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1730898147.045:6372): proctitle=7061737374002D2D6F6E652D6F6666002D2D736F636B6574002F746D702F6C69626775657374667372634D696D532F70617373742E736F636B002D2D706964002F746D702F6C69626775657374667372634D696D532F7061737374322E706964002D2D61646472657373003136392E3235342E322E3135002D2D6E65746D6173
type=AVC msg=audit(1730898147.045:6373): avc:  denied  { search } for  pid=314762 comm="passt.avx2" name="mc" dev="dm-0" ino=608820 scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1730898147.045:6373): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562ab99ada60 a2=80000 a3=0 items=0 ppid=314756 pid=314762 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1730898147.045:6373): proctitle=7061737374002D2D6F6E652D6F6666002D2D736F636B6574002F746D702F6C69626775657374667372634D696D532F70617373742E736F636B002D2D706964002F746D702F6C69626775657374667372634D696D532F7061737374322E706964002D2D61646472657373003136392E3235342E322E3135002D2D6E65746D6173

      sealert output

      sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------SELinux is preventing /usr/bin/passt.avx2 from search access on the directory mc.*****  Plugin catchall (100. confidence) suggests   **************************If you believe that passt.avx2 should be allowed search access on the mc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'passt.avx2' --raw | audit2allow -M my-passtavx2
# semodule -X 300 -i my-passtavx2.pp
Additional Information:
Source Context                unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023
Target Context                system_u:object_r:sssd_public_t:s0
Target Objects                mc [ dir ]
Source                        passt.avx2
Source Path                   /usr/bin/passt.avx2
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           passt-0^20231204.gb86afe3-1.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.47-1.el9.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dell-per740-60.rhts.eng.pek2.redhat.com
Platform                      Linux dell-per740-60.rhts.eng.pek2.redhat.com
                              5.14.0-522.el9.x86_64+rt #1 SMP PREEMPT_RT Sun Oct
                              20 10:50:39 EDT 2024 x86_64 x86_64
Alert Count                   8
First Seen                    2024-11-01 04:33:17 EDT
Last Seen                     2024-11-01 04:46:00 EDT
Local ID                      981f4014-d04d-462b-bc1a-2aee74e1e8c0Raw Audit Messages
type=AVC msg=audit(1730450760.640:2064): avc:  denied  { search } for  pid=51605 comm="passt.avx2" name="mc" dev="dm-0" ino=67411991 scontext=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1730450760.640:2064): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=55bca2b47a60 a2=80000 a3=0 items=0 ppid=51600 pid=51605 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=passt.avx2 exe=/usr/bin/passt.avx2 subj=unconfined_u:unconfined_r:passt_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID=root UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=rootHash: passt.avx2,passt_t,sssd_public_t,dir,search

      Expected results

       

      Actual results

       
       

              sbrivio@redhat.com Stefano Brivio
              mhou@redhat.com Minxi Hou
              Stefano Brivio Stefano Brivio
              Lei Yang Lei Yang
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: