Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C10s 20250103 build #2504

Merged
merged 13 commits into from
Jan 3, 2025
Merged

C10s 20250103 build #2504

merged 13 commits into from
Jan 3, 2025

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented Jan 3, 2025

No description provided.

WOnder93 and others added 13 commits January 3, 2025 13:34
@WOnder93 @zpytela
Allow request-key to manage all domains' keys
0e9eb77 
It looks like it may need to access all sorts of keys read-write, so
let's allow it a broad access to avoid issues in the future.

Resolves: RHEL-71490
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
@WOnder93 @zpytela
Allow request-key to read /etc/passwd
15295e4 
Fixes:
time->Tue Dec 17 04:00:26 2024
type=PROCTITLE msg=audit(1734426026.600:118): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003232343535333635350064656275673A62006100383530383838313330
type=SYSCALL msg=audit(1734426026.600:118): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f2c2e2c11bb a2=80000 a3=0 items=0 ppid=101 pid=1373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null)
type=AVC msg=audit(1734426026.600:118): avc:  denied  { open } for  pid=1373 comm="request-key-deb" path="/etc/passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1734426026.600:118): avc:  denied  { read } for  pid=1373 comm="request-key-deb" name="passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Tue Dec 17 04:00:26 2024
type=PROCTITLE msg=audit(1734426026.600:119): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003232343535333635350064656275673A62006100383530383838313330
type=SYSCALL msg=audit(1734426026.600:119): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffdfaab8f80 a2=7f2c2e2f8f20 a3=0 items=0 ppid=101 pid=1373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null)
type=AVC msg=audit(1734426026.600:119): avc:  denied  { getattr } for  pid=1373 comm="request-key-deb" path="/etc/passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

Resolves: RHEL-71490
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
@zpytela
Confine the ktls service
6e070ec 
The ktls-utils package provides a TLS handshake user agent that listens
for kernel requests and then materializes a user space socket endpoint
on which to perform these handshakes. The resulting negotiated session
parameters are passed back to the kernel via standard kTLS socket
options.

Resolves: RHEL-42672
@zpytela
Update ktlsh policy
d745cf0 
Resolves: RHEL-42672
@zpytela
Allow gnome-remote-desktop dbus chat with policykit
ae5b877 
The commit addresses the following USER_AVC denial:
type=USER_AVC msg=audit(10/26/2024 06:47:07.080:612) : pid=792 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:gnome_remote_desktop_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?'

Resolves: RHEL-35877
@zpytela
Allow virtqemud relabel tun_socket
23bf33c 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(12/16/2024 03:49:11.325:19674) : proctitle=/usr/sbin/virtqemud --timeout 120
type=AVC msg=audit(12/16/2024 03:49:11.325:19674) : avc:  denied  { relabelfrom } for  pid=500526 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1
type=AVC msg=audit(12/16/2024 03:49:11.325:19674) : avc:  denied  { relabelto } for  pid=500526 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1
type=SYSCALL msg=audit(12/16/2024 03:49:11.325:19674) : arch=aarch64 syscall=ioctl success=yes exit=0 a0=0x1a a1=0x400454ca a2=0xffffa57dd800 a3=0x0 items=0 ppid=1 pid=500526 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null)

Resolves: RHEL-71394
@zpytela
Allow virtqemud relabelfrom virt_log_t files
2de6b52 
This is a follow-up commit to 5749a0a ("Allow virtqemud relabelfrom
virt_log_t files"), as it turned out also relabelfrom is needed.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(12/20/2024 09:06:12.607:2598) : proctitle=/usr/sbin/virtqemud --timeout 120
type=AVC msg=audit(12/20/2024 09:06:12.607:2598) : avc:  denied  { relabelto } for  pid=39137 comm=rpc-virtqemud name=rhel-swtpm.log dev="dm-0" ino=202517283 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(12/20/2024 09:06:12.607:2598) : arch=x86_64 syscall=setxattr success=yes exit=0 a0=0x55eb6bf9fa70 a1=0x7ff13bb37197 a2=0x7ff11c06a700 a3=0x20 items=0 ppid=38650 pid=39137 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null)

Resolves: RHEL-48236
@zpytela
Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
ca153a1 
This is a follow-up to 40017f3 ("Allow virtqemud manage nfs files
when virt_use_nfs boolean is on") as additional permissionsfor virtqemud
are needed, too. The permission set is now the same as it previously was
for virtd_t.

The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(12/12/2024 04:31:01.442:783) : proctitle=/usr/sbin/virtqemud --timeout 120
type=PATH msg=audit(12/12/2024 04:31:01.442:783) : item=1 name=/var/lib/libvirt/swtpm/311bdd21-5945-4928-ab14-b258acfba1e4/tpm2 inode=29363572 dev=00:31 mode=dir,700 ouid=tss ogid=tss rdev=00:00 obj=system_u:object_r:nfs_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12/12/2024 04:31:01.442:783) : item=0 name=/var/lib/libvirt/swtpm/311bdd21-5945-4928-ab14-b258acfba1e4/ inode=25170736 dev=00:31 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(12/12/2024 04:31:01.442:783) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=0x7f598c091d60 a1=0x7f598c0aa120 a2=0x40000 a3=0x4002 items=2 ppid=1 pid=6537 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(12/12/2024 04:31:01.442:783) : avc:  denied  { rmdir } for  pid=6537 comm=rpc-virtqemud name=tpm2 dev="0:49" ino=29363572 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(12/12/2024 04:31:01.442:783) : avc:  denied  { remove_name } for  pid=6537 comm=rpc-virtqemud name=tpm2 dev="0:49" ino=29363572 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1

Resolves: RHEL-71068
@zpytela
Allow virtqemud the getpgid process permission
acb91e2 
This permission is needed when a virtiofs device is hotunplugged.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(07/05/2024 03:29:05.489:79517) : proctitle=/usr/sbin/virtqemud --timeout 120
type=AVC msg=audit(07/05/2024 03:29:05.489:79517) : avc:  denied  { getpgid } for  pid=730181 comm=qemu-event scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=process permissive=1
type=SYSCALL msg=audit(07/05/2024 03:29:05.489:79517) : arch=aarch64 syscall=getpgid success=yes exit=730729 a0=0xb266a a1=0xffffbd0a1af8 a2=0x0 a3=0x0 items=0 ppid=1 pid=730181 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-event exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null)

Resolves: RHEL-46357
@zpytela
Allow virtqemud permissions needed for live migration
ccce0da 
Command which triggers the denials:
virsh migrate source qemu+ssh://${target}/system --live --verbose

Resolves: RHEL-43217
@zpytela
Allow ssh_t read systemd config files
9304e84 
This denials is triggered for a confined user running the ssh
command with new systemd in place which contains
/usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(12/17/2024 10:12:02.296:1297) : proctitle=ssh hostname
type=SYSCALL msg=audit(12/17/2024 10:12:02.296:1297) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x557fc44a7a80 a2=O_RDONLY a3=0x0 items=0 ppid=3510 pid=3581 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts2 ses=7 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(12/17/2024 10:12:02.296:1297) : avc:  denied  { open } for  pid=3581 comm=ssh path=/usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf dev="vda2" ino=175565 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0

Resolves: RHEL-53972
@zpytela
Support virt live migration using ssh
ad4a541 
Triggered by the following command:
virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain hostname --desturi qemu+ssh://\{target}/system

Resolves: RHEL-53972
@zpytela
Allow virtqemud domain transition on numad execution
6d2ceaa 
The commit addresses the following AVC denial:
type=AVC msg=audit(1730798043.779:27002): avc:  denied  { execute } for  pid=1041433 comm="rpc-virtqemud" name="numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1

Resolves: RHEL-65789
@zpytela zpytela merged commit c4b8bc4 into fedora-selinux:c10s Jan 3, 2025
1 of 4 checks passed
@zpytela zpytela deleted the c10s-20250103-build branch January 3, 2025 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zpytela @WOnder93