No sVirt protection for VMs due to disabled SELinux in 'nova_libvirt' container.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Cédric Jeanneret |
Bug Description
[Heads-Up: I first reported this to Red Hat's Product Security Team, and they have analyzed the issue and got this CVE number assigned to the problem: CVE-2020-10731; still embargoed, as of 27-May-2020.]
Summary
-------
No sVirt protection for VMs due to disabled SELinux in 'nova_libvirt' container.
Problem Description
-------------------
The 'nova_libvirt' container that TripleO generates has SELinux disabled. This is the container where the libvirt daemon (`libvirtd`) runs; which in turn means, all OSP-16 VMs will have _no_ sVirt protection.
On IRC, Oliver Walsh <email address hidden> pointed out a patch to 'openstack/
https:/
Steps to Reproduce
------------------
(0) Setup a TripleO-based deployment, and ensure at least one VM is launched on the Compute node. (Please refer to the Red Hat documentation about this; it's too long to write it down here.)
(1) Log into the OSP-16 Compute node; and check the SELinux status
_outside_ the container: check SELinux status:
[root@compute-1 ~]# getenforce
Enforcing
(2) However, SELinux is *disabled* in the 'nova_libvirt' container, which spawns the virutal machines VMs:
[root@compute-1 ~]# podman exec -u root -it nova_libvirt bash
()[
Disabled
Actual Results
--------------
Consequently, any VM will now have no SELinux-based sVirt protection. This can be observed by the following. Log into the 'nova_libvirt' container:
[root@Compute_1 /]# podman exec -u root -it nova_libvirt bash
Then check the "Security model" status of a running (or offline) Nova
instance via:
()[
Security model: none
Security DOI: 0
Notice the "Security model: none" — this must be (but it's not):
"Security model: selinux"
Expected Results
----------------
The 'nova_libvirt' container must have SELinux enabled and Triple)-based Nova VMs to have sVirt protection.
* * *
Thanks
------
Lukas Bezdicka <email address hidden>
Daniel Berrangé <email address hidden>
Lukas ran into this error in a downstream (OSP) environment. And Daniel helped with libvirt expertise and root cause analysis.
CVE References
Changed in tripleo: | |
milestone: | none → victoria-1 |
importance: | Undecided → Critical |
status: | New → Triaged |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
information type: | Private Security → Public |
information type: | Public → Public Security |
Changed in tripleo: | |
milestone: | victoria-3 → wallaby-1 |
Changed in tripleo: | |
milestone: | wallaby-1 → wallaby-2 |
Changed in tripleo: | |
milestone: | wallaby-2 → wallaby-3 |
Changed in tripleo: | |
milestone: | wallaby-3 → wallaby-rc1 |
Changed in tripleo: | |
milestone: | wallaby-rc1 → xena-1 |
Changed in tripleo: | |
milestone: | xena-1 → xena-2 |
Update:
Piotr Kopec <email address hidden> from Red Hat today has confirmed by reverting the above mentioned patch[*], SELinux is correctly enabled inside the 'nova_libvirt" container. And I've also verified it in the environment:
[heat- admin@compute- 1 ~]$ sudo podman exec -it nova_libvirt bash root@compute- 1 /]#
()[
()[ root@compute- 0 /]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
However, Piotr informs on IRC that just simply removing the option in TripleO might not be a good idea, "as it will change the API".
I'll let Piotr chime in here.
[*] https:/ /review. opendev. org/#/c/ 631235/–nova-libvirt: conditionalize selinux bind-mount" ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -- openstack- tripleo- heat-templates/ tripleo- heat-templates] $ git diff nova/nova- libvirt- container- puppet. yaml b/deployment/ nova/nova- libvirt- container- puppet. yaml nova/nova- libvirt- container- puppet. yaml nova/nova- libvirt- container- puppet. yaml
- /var/log/ libvirt/ qemu:/var/ log/libvirt/ qemu:ro
- /var/lib/ vhost_sockets: /var/lib/ vhost_sockets: z
- /var/lib/ nova:/var/ lib/nova: shared selinux: /sys/fs/ selinux selinux: /sys/fs/ selinux
if:
- use_tls_ for_live_ migration ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- --
-------
[stack@undercloud-0 ~]$ cd /usr/share/
[stack@undercloud-0 openstack-
diff --git a/deployment/
index 4e02e66..4dea2fa 100644
--- a/deployment/
+++ b/deployment/
@@ -705,12 +705,7 @@ outputs:
- -
- if:
- - docker_enabled
- -
- - /sys/fs/
- - null
+ - /sys/fs/
-
-------