From 0e9eb7760eefea4cc56774353e28162b299a3343 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Tue, 17 Dec 2024 09:46:04 +0100 Subject: [PATCH 01/13] Allow request-key to manage all domains' keys It looks like it may need to access all sorts of keys read-write, so let's allow it a broad access to avoid issues in the future. Resolves: RHEL-71490 Signed-off-by: Ondrej Mosnacek --- policy/modules/contrib/keyutils.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te index 7f380a7708..aefcb33ed5 100644 --- a/policy/modules/contrib/keyutils.te +++ b/policy/modules/contrib/keyutils.te @@ -22,9 +22,7 @@ allow keyutils_request_t keyutils_request_exec_t:file execute_no_trans; corecmd_exec_bin(keyutils_request_t) -domain_read_view_all_domains_keyrings(keyutils_request_t) - -init_write_key(keyutils_request_t) +domain_manage_all_domains_keyrings(keyutils_request_t) optional_policy(` init_search_pid_dirs(keyutils_request_t) From 15295e405c7e7626ac1836d1756e7f4c77116b65 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Tue, 17 Dec 2024 09:52:18 +0100 Subject: [PATCH 02/13] Allow request-key to read /etc/passwd Fixes: time->Tue Dec 17 04:00:26 2024 type=PROCTITLE msg=audit(1734426026.600:118): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003232343535333635350064656275673A62006100383530383838313330 type=SYSCALL msg=audit(1734426026.600:118): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f2c2e2c11bb a2=80000 a3=0 items=0 ppid=101 pid=1373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null) type=AVC msg=audit(1734426026.600:118): avc: denied { open } for pid=1373 comm="request-key-deb" path="/etc/passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 type=AVC msg=audit(1734426026.600:118): avc: denied { read } for pid=1373 comm="request-key-deb" name="passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 ---- time->Tue Dec 17 04:00:26 2024 type=PROCTITLE msg=audit(1734426026.600:119): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003232343535333635350064656275673A62006100383530383838313330 type=SYSCALL msg=audit(1734426026.600:119): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffdfaab8f80 a2=7f2c2e2f8f20 a3=0 items=0 ppid=101 pid=1373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null) type=AVC msg=audit(1734426026.600:119): avc: denied { getattr } for pid=1373 comm="request-key-deb" path="/etc/passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 Resolves: RHEL-71490 Signed-off-by: Ondrej Mosnacek --- policy/modules/contrib/keyutils.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te index aefcb33ed5..5bbe04144e 100644 --- a/policy/modules/contrib/keyutils.te +++ b/policy/modules/contrib/keyutils.te @@ -24,6 +24,10 @@ corecmd_exec_bin(keyutils_request_t) domain_manage_all_domains_keyrings(keyutils_request_t) +optional_policy(` + auth_read_passwd(keyutils_request_t) +') + optional_policy(` init_search_pid_dirs(keyutils_request_t) logging_send_syslog_msg(keyutils_request_t) From 6e070ec15a03cdf20c7dd80976322ea02dca0aac Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 22 Oct 2024 23:00:05 +0200 Subject: [PATCH 03/13] Confine the ktls service The ktls-utils package provides a TLS handshake user agent that listens for kernel requests and then materializes a user space socket endpoint on which to perform these handshakes. The resulting negotiated session parameters are passed back to the kernel via standard kTLS socket options. Resolves: RHEL-42672 --- dist/targeted/modules.conf | 8 ++++++++ policy/modules/contrib/ktls.fc | 1 + policy/modules/contrib/ktls.if | 1 + policy/modules/contrib/ktls.te | 13 +++++++++++++ 4 files changed, 23 insertions(+) create mode 100644 policy/modules/contrib/ktls.fc create mode 100644 policy/modules/contrib/ktls.if create mode 100644 policy/modules/contrib/ktls.te diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf index 5dba805a1a..abbfdf49ae 100644 --- a/dist/targeted/modules.conf +++ b/dist/targeted/modules.conf @@ -3092,3 +3092,11 @@ iiosensorproxy = module # # pcm = module + +# Layer: contrib +# Module: ktls +# +# Policy for ktls - TLS handshake agent for kernel sockets +# +# +ktls = module diff --git a/policy/modules/contrib/ktls.fc b/policy/modules/contrib/ktls.fc new file mode 100644 index 0000000000..4545ca7b09 --- /dev/null +++ b/policy/modules/contrib/ktls.fc @@ -0,0 +1 @@ +/usr/sbin/tlshd -- gen_context(system_u:object_r:ktlshd_exec_t,s0) diff --git a/policy/modules/contrib/ktls.if b/policy/modules/contrib/ktls.if new file mode 100644 index 0000000000..d6041be3b3 --- /dev/null +++ b/policy/modules/contrib/ktls.if @@ -0,0 +1 @@ +## ktls - TLS handshake agent for kernel sockets diff --git a/policy/modules/contrib/ktls.te b/policy/modules/contrib/ktls.te new file mode 100644 index 0000000000..b1efe9951d --- /dev/null +++ b/policy/modules/contrib/ktls.te @@ -0,0 +1,13 @@ +policy_module(ktls, 1.0) + +######################################## +# +# Declarations +# + +type ktlshd_t; +type ktlshd_exec_t; +init_daemon_domain(ktlshd_t, ktlshd_exec_t) + +permissive ktlshd_t; + From d745cf0c8ecab0eb881527d606833099aa005345 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 17 Dec 2024 12:48:01 +0100 Subject: [PATCH 04/13] Update ktlsh policy Resolves: RHEL-42672 --- policy/modules/contrib/ktls.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/contrib/ktls.te b/policy/modules/contrib/ktls.te index b1efe9951d..04b15a861f 100644 --- a/policy/modules/contrib/ktls.te +++ b/policy/modules/contrib/ktls.te @@ -11,3 +11,9 @@ init_daemon_domain(ktlshd_t, ktlshd_exec_t) permissive ktlshd_t; +allow ktlshd_t self:netlink_generic_socket create_socket_perms; +allow ktlshd_t self:unix_dgram_socket create_socket_perms; + +optional_policy(` + logging_send_syslog_msg(ktlshd_t) +') From ae5b877689bb8a2fedacd271d6ce68faf0c3f1af Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 18 Nov 2024 15:58:09 +0100 Subject: [PATCH 05/13] Allow gnome-remote-desktop dbus chat with policykit The commit addresses the following USER_AVC denial: type=USER_AVC msg=audit(10/26/2024 06:47:07.080:612) : pid=792 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:gnome_remote_desktop_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' Resolves: RHEL-35877 --- policy/modules/contrib/gnome_remote_desktop.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/gnome_remote_desktop.te b/policy/modules/contrib/gnome_remote_desktop.te index 48c3d11e81..f1712c993a 100644 --- a/policy/modules/contrib/gnome_remote_desktop.te +++ b/policy/modules/contrib/gnome_remote_desktop.te @@ -62,6 +62,10 @@ optional_policy(` miscfiles_read_localization(gnome_remote_desktop_t) ') +optional_policy(` + policykit_dbus_chat(gnome_remote_desktop_t) +') + optional_policy(` systemd_login_list_pid_dirs(gnome_remote_desktop_t) systemd_login_read_pid_files(gnome_remote_desktop_t) From 23bf33c8881d37f4eb4524369817d9721f50aabd Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 2 Jan 2025 15:36:12 +0100 Subject: [PATCH 06/13] Allow virtqemud relabel tun_socket The commit addresses the following AVC denial: type=PROCTITLE msg=audit(12/16/2024 03:49:11.325:19674) : proctitle=/usr/sbin/virtqemud --timeout 120 type=AVC msg=audit(12/16/2024 03:49:11.325:19674) : avc: denied { relabelfrom } for pid=500526 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1 type=AVC msg=audit(12/16/2024 03:49:11.325:19674) : avc: denied { relabelto } for pid=500526 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1 type=SYSCALL msg=audit(12/16/2024 03:49:11.325:19674) : arch=aarch64 syscall=ioctl success=yes exit=0 a0=0x1a a1=0x400454ca a2=0xffffa57dd800 a3=0x0 items=0 ppid=1 pid=500526 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) Resolves: RHEL-71394 --- policy/modules/contrib/virt.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index f7cbed42d1..bcd8e0f3dc 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2109,7 +2109,7 @@ allow virtqemud_t self:cap_userns kill; allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write }; allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate }; allow virtqemud_t self:tcp_socket create_socket_perms; -allow virtqemud_t self:tun_socket create; +allow virtqemud_t self:tun_socket { create relabelfrom relabelto }; allow virtqemud_t self:udp_socket { connect create getattr }; allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom; From 2de6b529108b89ef74a5e88f259dd7c243f8f15c Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 2 Jan 2025 18:03:20 +0100 Subject: [PATCH 07/13] Allow virtqemud relabelfrom virt_log_t files This is a follow-up commit to 5749a0a44e36 ("Allow virtqemud relabelfrom virt_log_t files"), as it turned out also relabelfrom is needed. The commit addresses the following AVC denial: type=PROCTITLE msg=audit(12/20/2024 09:06:12.607:2598) : proctitle=/usr/sbin/virtqemud --timeout 120 type=AVC msg=audit(12/20/2024 09:06:12.607:2598) : avc: denied { relabelto } for pid=39137 comm=rpc-virtqemud name=rhel-swtpm.log dev="dm-0" ino=202517283 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(12/20/2024 09:06:12.607:2598) : arch=x86_64 syscall=setxattr success=yes exit=0 a0=0x55eb6bf9fa70 a1=0x7ff13bb37197 a2=0x7ff11c06a700 a3=0x20 items=0 ppid=38650 pid=39137 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) Resolves: RHEL-48236 --- policy/modules/contrib/virt.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index bcd8e0f3dc..0449b9248a 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2144,7 +2144,7 @@ files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file) allow virtqemud_t virtqemud_var_run_t:dir relabelfrom; allow virtqemud_t virtqemud_var_run_t:sock_file relabelfrom; -allow virtqemud_t virt_log_t:file relabelfrom; +allow virtqemud_t virt_log_t:file relabel_file_perms; manage_dirs_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t) manage_dirs_pattern(virtqemud_t, virtqemud_var_run_t, virtqemud_var_run_t) From ca153a13b9b6fac6a5bfed22ffc675c061295b6e Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 2 Jan 2025 20:48:54 +0100 Subject: [PATCH 08/13] Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on This is a follow-up to 40017f3726c2 ("Allow virtqemud manage nfs files when virt_use_nfs boolean is on") as additional permissionsfor virtqemud are needed, too. The permission set is now the same as it previously was for virtd_t. The commit addresses the following AVC denial example: type=PROCTITLE msg=audit(12/12/2024 04:31:01.442:783) : proctitle=/usr/sbin/virtqemud --timeout 120 type=PATH msg=audit(12/12/2024 04:31:01.442:783) : item=1 name=/var/lib/libvirt/swtpm/311bdd21-5945-4928-ab14-b258acfba1e4/tpm2 inode=29363572 dev=00:31 mode=dir,700 ouid=tss ogid=tss rdev=00:00 obj=system_u:object_r:nfs_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(12/12/2024 04:31:01.442:783) : item=0 name=/var/lib/libvirt/swtpm/311bdd21-5945-4928-ab14-b258acfba1e4/ inode=25170736 dev=00:31 mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(12/12/2024 04:31:01.442:783) : arch=x86_64 syscall=rmdir success=yes exit=0 a0=0x7f598c091d60 a1=0x7f598c0aa120 a2=0x40000 a3=0x4002 items=2 ppid=1 pid=6537 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(12/12/2024 04:31:01.442:783) : avc: denied { rmdir } for pid=6537 comm=rpc-virtqemud name=tpm2 dev="0:49" ino=29363572 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(12/12/2024 04:31:01.442:783) : avc: denied { remove_name } for pid=6537 comm=rpc-virtqemud name=tpm2 dev="0:49" ino=29363572 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1 Resolves: RHEL-71068 --- policy/modules/contrib/virt.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0449b9248a..6dc4b631b0 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2257,7 +2257,10 @@ tunable_policy(`virtqemud_use_execmem',` ') tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virtqemud_t) fs_manage_nfs_files(virtqemud_t) + fs_read_nfs_symlinks(virtqemud_t) + fs_mmap_nfs_files(virtqemud_t) ') optional_policy(` From acb91e245250122a541e7f19630ff5e8d402e14f Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 2 Jan 2025 21:16:54 +0100 Subject: [PATCH 09/13] Allow virtqemud the getpgid process permission This permission is needed when a virtiofs device is hotunplugged. The commit addresses the following AVC denial: type=PROCTITLE msg=audit(07/05/2024 03:29:05.489:79517) : proctitle=/usr/sbin/virtqemud --timeout 120 type=AVC msg=audit(07/05/2024 03:29:05.489:79517) : avc: denied { getpgid } for pid=730181 comm=qemu-event scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(07/05/2024 03:29:05.489:79517) : arch=aarch64 syscall=getpgid success=yes exit=730729 a0=0xb266a a1=0xffffbd0a1af8 a2=0x0 a3=0x0 items=0 ppid=1 pid=730181 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-event exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) Resolves: RHEL-46357 --- policy/modules/contrib/virt.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 6dc4b631b0..665ca1c8d2 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2107,7 +2107,7 @@ allow virtqemud_t self:capability2 { bpf perfmon }; allow virtqemud_t self:cap_userns kill; allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write }; -allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate }; +allow virtqemud_t self:process { getpgid setcap setexec setrlimit setsched setsockcreate }; allow virtqemud_t self:tcp_socket create_socket_perms; allow virtqemud_t self:tun_socket { create relabelfrom relabelto }; allow virtqemud_t self:udp_socket { connect create getattr }; From ccce0da1393bf2842ee3d0b926819f470d4c2d29 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 2 Jan 2025 21:57:40 +0100 Subject: [PATCH 10/13] Allow virtqemud permissions needed for live migration Command which triggers the denials: virsh migrate source qemu+ssh://${target}/system --live --verbose Resolves: RHEL-43217 --- policy/modules/contrib/virt.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 665ca1c8d2..8198bc7dda 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2114,7 +2114,10 @@ allow virtqemud_t self:udp_socket { connect create getattr }; allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom; -allow virtqemud_t svirt_t:process { getattr setsched signal signull transition }; +allow virtqemud_t svirt_t:netlink_route_socket create_netlink_socket_perms; +allow virtqemud_t svirt_t:process { getattr getrlimit setsched signal signull transition }; +allow virtqemud_t svirt_t:tcp_socket create_stream_socket_perms; +allow virtqemud_t svirt_t:udp_socket create_socket_perms; allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms }; allow virtqemud_t svirt_socket_t:unix_stream_socket connectto; From 9304e84033789e6219920c116281fa83cef66ae5 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 17 Dec 2024 16:13:35 +0100 Subject: [PATCH 11/13] Allow ssh_t read systemd config files This denials is triggered for a confined user running the ssh command with new systemd in place which contains /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf The commit addresses the following AVC denial: type=PROCTITLE msg=audit(12/17/2024 10:12:02.296:1297) : proctitle=ssh hostname type=SYSCALL msg=audit(12/17/2024 10:12:02.296:1297) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x557fc44a7a80 a2=O_RDONLY a3=0x0 items=0 ppid=3510 pid=3581 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts2 ses=7 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/17/2024 10:12:02.296:1297) : avc: denied { open } for pid=3581 comm=ssh path=/usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf dev="vda2" ino=175565 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0 Resolves: RHEL-53972 --- policy/modules/services/ssh.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index b1da95169a..e9d4b82791 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -262,6 +262,10 @@ optional_policy(` kerberos_read_keytab(ssh_t) ') +optional_policy(` + systemd_read_conf_files(ssh_t) +') + optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) From ad4a5418c8744fecfe706ab9235b4f2c0ca61da3 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 2 Jan 2025 22:24:44 +0100 Subject: [PATCH 12/13] Support virt live migration using ssh Triggered by the following command: virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain hostname --desturi qemu+ssh://\{target}/system Resolves: RHEL-53972 --- policy/modules/contrib/virt.if | 19 +++++++++++++++++++ policy/modules/contrib/virt.te | 1 + policy/modules/services/ssh.te | 4 ++++ 3 files changed, 24 insertions(+) diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if index abb53988ed..626ee548c0 100644 --- a/policy/modules/contrib/virt.if +++ b/policy/modules/contrib/virt.if @@ -2141,3 +2141,22 @@ interface(`virt_manage_qemu_pid_sock_files',` files_search_pids($1) manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ') + +######################################## +## +## Allow the specified domain to ioctl +## virtqemud over a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`virt_virtqemud_ioctl_stream_sockets',` + gen_require(` + type virtqemud_t; + ') + + allow $1 virtqemud_t:unix_stream_socket ioctl; +') diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 8198bc7dda..a325cb01ad 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2294,6 +2294,7 @@ optional_policy(` optional_policy(` ssh_domtrans_ssh(virtqemud_t) + ssh_signal(virtqemud_t) ') optional_policy(` diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index e9d4b82791..0ab8ad12bd 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -266,6 +266,10 @@ optional_policy(` systemd_read_conf_files(ssh_t) ') +optional_policy(` + virt_virtqemud_ioctl_stream_sockets(ssh_t) +') + optional_policy(` xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) xserver_domtrans_xauth(ssh_t) From 6d2ceaacdaa9a6bce361af8c2eaa6b4a1eb132ea Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 3 Jan 2025 11:28:26 +0100 Subject: [PATCH 13/13] Allow virtqemud domain transition on numad execution The commit addresses the following AVC denial: type=AVC msg=audit(1730798043.779:27002): avc: denied { execute } for pid=1041433 comm="rpc-virtqemud" name="numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1 Resolves: RHEL-65789 --- policy/modules/contrib/virt.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index a325cb01ad..5fdfcc3553 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2274,6 +2274,10 @@ optional_policy(` dnsmasq_filetrans_named_content_fromdir(virtqemud_t, virtqemud_var_run_t) ') +optional_policy(` + numad_domtrans(virtqemud_t) +') + optional_policy(` qemu_exec(virtqemud_t) ')