systemd should be allowed access to vsock sockets

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline

GNU General Public License v2.0

164 stars 163 forks source link

systemd should be allowed access to vsock sockets #1892

Closed DaanDeMeyer closed 9 months ago

DaanDeMeyer commented 11 months ago

In its latest release, systemd has gained features that make use of AF_VSOCK. Currently using these features leads to selinux denials.

Oct 05 12:20:55 fedora audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=vsock_socket permissive=1
Oct 05 12:20:55 fedora audit[1]: AVC avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=vsock_socket permissive=1
Oct 05 12:20:55 fedora audit[1]: AVC avc:  denied  { connect } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=vsock_socket permissive=1
Oct 05 12:20:55 fedora audit[1]: AVC avc:  denied  { getopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=vsock_socket permissive=1
Oct 05 12:20:55 fedora audit[1]: AVC avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=vsock_socket permissive=1

It'd be great if these could be allowed

zpytela commented 11 months ago

@DaanDeMeyer thanks for reporting, is there a simple way of reproducing?

DaanDeMeyer commented 11 months ago

git clone https://github.com/systemd/mkosi
cd mkosi

Write the following to mkosi.conf in mkosi/:

[Distribution]
Release=39

[Content]
Bootable=yes
Autologin=yes
Packages=
    attr
        coreutils
        kernel-core
    systemd
    systemd-boot
    udev
    util-linux
        less
    python3
    bubblewrap
        policycoreutils
        policycoreutils-python-utils
        selinux-policy
        selinux-policy-devel
        selinux-policy-targeted
        setools-console

[Host]
KernelCommandLineExtra=enforcing=0

And then run:

bin/mkosi --tools-tree=default -f qemu

You'll end up in a VM where you can run journalctl -g AVC and it will contain these denials.

Since the vsock stuff relies on VMs I don't have a simpler reproducer at hand.

zpytela commented 11 months ago

I am sorry, I was able to make that working only on F38 where there is just older systemd. I wanted to see the results in full auditing: https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Is it a result of this change?

The system manager manager will now parse a new "vmm.notify_socket" system credential, which may be supplied to a VM via SMBIOS. If found, the manager will send a "READY=1" notification on the specified socket after boot is complete. This allows readiness notification to be sent from a VM guest to the VM host over a VSOCK socket.

DaanDeMeyer commented 11 months ago

Yes indeed, that's the one

zpytela commented 9 months ago

Closing as there is now a PR https://github.com/fedora-selinux/selinux-policy/pull/1952 Sorry for the delay.

DaanDeMeyer commented 9 months ago

Thanks for taking the time to fix this!