Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux denials related to vif-route-qubes #8292

Open
marmarek opened this issue Jun 25, 2023 · 2 comments
Open

SELinux denials related to vif-route-qubes #8292

marmarek opened this issue Jun 25, 2023 · 2 comments
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: networking needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@marmarek
Copy link
Member

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

Starting a HVM results in some SELinux denials on the network backend side (sys-firewall). Later VM failed to start (libxl_create.c:2000:domcreate_attach_devices: Domain 19:unable to add vif devices), although I'm not sure if it's caused directly by those denials (I do see them also related to successful VM startups).

Steps to reproduce

  1. Try to start a HVM domain (it was fedora-38 using in-VM kernel, but not sure if that matter).

Expected behavior

Starts successfully, and no SELinux denials are logged.

Actual behavior

https://openqa.qubes-os.org/tests/76111

[2023-06-24 02:14:50] [  739.997845] vif vif-18-0 vif18.0: Guest Rx ready
[2023-06-24 02:14:50] [  739.997980] IPv6: ADDRCONF(NETDEV_CHANGE): vif18.0: link becomes ready
[2023-06-24 02:15:17] [  766.697929] vif vif-17-0 vif17.0: Guest Rx ready
[2023-06-24 02:15:17] [  766.698216] IPv6: ADDRCONF(NETDEV_CHANGE): vif17.0: link becomes ready
[2023-06-24 02:15:23] [  773.189221] kauditd_printk_skb: 42 callbacks suppressed
[2023-06-24 02:15:23] [  773.189276] audit: type=1325 audit(1687587322.833:204): table=qubes-firewall:65 family=2 entries=5 op=nft_register_chain pid=2070 subj=system_u:system_r:unconfined_service_t:s0 comm="nft"
[2023-06-24 02:15:23] [  773.192215] audit: type=1300 audit(1687587322.833:204): arch=c000003e syscall=46 success=yes exit=420 a0=3 a1=7ffc33f15440 a2=0 a3=6ffdcbfb1c84 items=0 ppid=508 pid=2070 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nft" exe="/usr/sbin/nft" subj=system_u:system_r:unconfined_service_t:s0 key=(null)
[2023-06-24 02:15:23] [  773.193932] audit: type=1327 audit(1687587322.833:204): proctitle=6E6674002D66002F6465762F737464696E
[2023-06-24 02:16:37] [  846.992869] audit: type=1325 audit(1687587396.638:205): table=qubes:66 family=2 entries=2 op=nft_unregister_setelem pid=2133 subj=system_u:system_r:iptables_t:s0 comm="nft"
[2023-06-24 02:16:37] [  846.994212] audit: type=1300 audit(1687587396.638:205): arch=c000003e syscall=46 success=yes exit=188 a0=3 a1=7ffc06305e30 a2=0 a3=7fe664d50c84 items=0 ppid=2072 pid=2133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nft" exe="/usr/sbin/nft" subj=system_u:system_r:iptables_t:s0 key=(null)
[2023-06-24 02:16:37] [  846.995184] audit: type=1327 audit(1687587396.638:205): proctitle=6E66740064656C65746520656C656D656E7420697020717562657320616C6C6F776564207B202276696631382E3022202E2031302E3133372E302E3137207D0A64656C65746520656C656D656E7420697020717562657320646F776E73747265616D207B2031302E3133372E302E3137207D
[2023-06-24 02:16:37] [  846.998898] audit: type=1400 audit(1687587396.643:206): avc:  denied  { read write } for  pid=2138 comm="ip" path="/dev/xen/xenbus" dev="devtmpfs" ino=94 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
[2023-06-24 02:16:37] [  846.999974] audit: type=1300 audit(1687587396.643:206): arch=c000003e syscall=59 success=yes exit=0 a0=5d336b889fa0 a1=5d336b8a4b30 a2=5d336b88a170 a3=1b6 items=0 ppid=2072 pid=2138 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
[2023-06-24 02:16:37] [  847.000830] audit: type=1309 audit(1687587396.643:206): argc=8 a0="ip" a1="route" a2="del" a3="10.137.0.17" a4="dev" a5="vif18.0" a6="metric" a7="32734"
[2023-06-24 02:16:37] [  847.001456] audit: type=1327 audit(1687587396.643:206): proctitle=697000726F7574650064656C0031302E3133372E302E3137006465760076696631382E30006D6574726963003332373334
[2023-06-24 02:16:37] [  847.023678] audit: type=1400 audit(1687587396.668:207): avc:  denied  { read write } for  pid=2144 comm="ip" path="/dev/xen/xenbus" dev="devtmpfs" ino=94 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:xen_device_t:s0 tclass=chr_file permissive=0
[2023-06-24 02:16:37] [  847.024329] audit: type=1300 audit(1687587396.668:207): arch=c000003e syscall=59 success=yes exit=0 a0=5d336b89bbb0 a1=5d336b85c0d0 a2=5d336b8c97b0 a3=1b6 items=0 ppid=2072 pid=2144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ip" exe="/usr/sbin/ip" subj=system_u:system_r:ifconfig_t:s0 key=(null)
[2023-06-24 02:16:37] [  847.025461] audit: type=1309 audit(1687587396.668:207): argc=6 a0="ip" a1="addr" a2="del" a3="10.138.20.171/32" a4="dev" a5="vif18.0"
[2023-06-24 02:16:37] [  846.816226] root[2145]: /etc/xen/scripts/vif-route-qubes: /etc/xen/scripts/vif-route-qubes failed; error detected.
@marmarek marmarek added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. C: networking labels Jun 25, 2023
@marmarek marmarek added this to the Release 4.2 milestone Jun 25, 2023
@marmarek
Copy link
Member Author

I have no idea why ip would access /dev/xen/xenbus, maybe it's an FD leaked by xl devd process? Needs checking.

@DemiMarie DemiMarie self-assigned this Jun 25, 2023
@DemiMarie
Copy link

Confirmed. xl devd leaks a file descriptor to /dev/xen/xenbus and a file descriptor to /var/log/xldevd.log to its child processes. I don’t see any reference to the file descriptor numbers in the environment so I suspect this is not intentional.

@andrewdavidwong andrewdavidwong added the needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. label Jun 26, 2023
@andrewdavidwong andrewdavidwong added the affects-4.2 This issue affects Qubes OS 4.2. label Aug 8, 2023
@andrewdavidwong andrewdavidwong removed this from the Release 4.2 milestone Aug 13, 2023
@csarn csarn mentioned this issue Aug 29, 2023
Closed
@DemiMarie DemiMarie removed their assignment Mar 6, 2024
hubot pushed a commit to xen-project/xen that referenced this issue May 7, 2024
@andyhhp
tools/libxs: Open /dev/xen/xenbus fds as O_CLOEXEC
f4f2f34 
The header description for xs_open() goes as far as to suggest that the fd is
O_CLOEXEC, but it isn't actually.

`xl devd` has been observed leaking /dev/xen/xenbus into children.

Link: QubesOS/qubes-issues#8292
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
hubot pushed a commit to xen-project/xen that referenced this issue May 21, 2024
@andyhhp @jbeulich
tools/libxs: Open /dev/xen/xenbus fds as O_CLOEXEC
2bc5204 
The header description for xs_open() goes as far as to suggest that the fd is
O_CLOEXEC, but it isn't actually.

`xl devd` has been observed leaking /dev/xen/xenbus into children.

Link: QubesOS/qubes-issues#8292
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
master commit: f4f2f34
master date: 2024-05-07 15:18:36 +0100
hubot pushed a commit to xen-project/xen that referenced this issue May 21, 2024
@andyhhp @jbeulich
tools/libxs: Open /dev/xen/xenbus fds as O_CLOEXEC
5305b3b 
The header description for xs_open() goes as far as to suggest that the fd is
O_CLOEXEC, but it isn't actually.

`xl devd` has been observed leaking /dev/xen/xenbus into children.

Link: QubesOS/qubes-issues#8292
Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
master commit: f4f2f34
master date: 2024-05-07 15:18:36 +0100
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: networking needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marmarek @DemiMarie @andrewdavidwong