Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77351

Can't migrate peer-to-peer with ssh

XMLWordPrintable

    • selinux-policy-40.13.25-1.el10
    • Yes
    • Critical
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 26
    • 2
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250219: 2
    • Unspecified Release Note Type - Unknown
    • All
    • None

      What were you trying to do that didn't work?

      Migration a VM peer to peer with ssh setting migration uris

      virsh  migrate avocado-vt-vm1 --live --p2p --verbose --listen-address 10.0.160.202 --postcopy qemu+ssh://10.0.160.202:22/system

      What is the impact of this issue to you?

      Critical, machines can't be migrated with selinux enabled.

      Please provide the package NVR for which the bug is seen:

      selinux-policy-40.13.24-1.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Set up passwordless ssh with ssh-copy-id
      2. Enable nfs for image storage (label virt_use_nfs on)
      3. Have iscsi/d installed on the source host
      4. NFS share the VM's image folder and mount on destination with the same path
      5. Launch p2p migration 
        virsh  migrate avocado-vt-vm1 --live --p2p --verbose --listen-address 10.0.160.202 --postcopy qemu+ssh://10.0.160.202:22/system

      Expected results

      The migration finishes successfully.

      Actual results

      The migration crashes with error

      [stdlog] error: Cannot recv data: Warning: Permanently added '10.0.160.202' (ED25519) to the list of known hosts.
[stdlog] virt-ssh-helper: could not proxy traffic: internal error: EOF on stdin: Connection reset by peer

      Additional info

      Attached selinux policy file fixes the migration when loaded on the source host.
      Also attaching test log in case we have more questions about required accesses.

      Regarding the proposed rules (s. attachment)

      1. virtnetworkd_t: it uses dnsmasq and iptables for a libvirt managed virtual network; assume ifconfig_t is necessary for the same reason
      2. ssh_t to virtqemu_t: the daemon is connected to via ssh
      3. svirt_t accesses var_lib_t to access the image in its original location. For this libvirt runs as root user usually. This is expected here to be a custom path below /var/lib for the test framework
      4. NetworkManager_dispatcher_X assume this is NetworkManager standard logic when starting, restarting etc. Assume init_t is involved for example for libvirt's network or iscsid to be available early since host boot
      5. kernel_t kmod_t: assume required to load modules
      6. sshd_t chkpwd_t: assume required to check password
      7. ssh_t shadow_t: assume required for passwordless ssh

        1. migration_source_host.cil
          2 kB
        2. migration_test.log
          200 kB

              rhn-support-zpytela Zdenek Pytela
              smitterl@redhat.com Sebastian Mitterle
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: