Bug 1034082

Summary: qemu-ga: document selinux policy for read/write of guest files
Product: Red Hat Enterprise Linux 7 Reporter: Shaolong Hu <shu>
Component: qemu-kvmAssignee: Amos Kong <akong>
Status: CLOSED WONTFIX QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: acathrow, ailan, akong, areis, bsarathy, dkelson, dyasny, hhuang, juzhang, lcapitulino, mgrepl, michen, mkenneth, mrezanin, qzhang, rhod, shuang, sluo, tlavigne, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 839832 Environment:
Last Closed: 2014-03-17 10:07:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 839831, 839832    
Bug Blocks:    

Comment 4 Amos Kong 2013-12-02 09:54:54 UTC 
Hi Qunfang,

You did a good job in [1] to test all selinux policies work.
Can you test rhel7? or guide someone to test it?

Thanks, Amos

[1] https://bugzilla.redhat.com/show_bug.cgi?id=839832#c10
Comment 6 Amos Kong 2014-02-26 09:09:54 UTC 
I had tested by myself, clear the needinfo flag.
Comment 7 Amos Kong 2014-02-26 09:28:43 UTC 
Hi Miroslav,

We add some selinux policy to effect read/write permission of
/usr/bin/qemu-ga in guest.

How can we enable/disable this single policy (only effect
qemu-ga)?

enable/disable selinux by changing /etc/sysconfig/selinux will
effect all the policies.

Thanks, Amos
Comment 8 Miroslav Grepl 2014-02-27 09:56:28 UTC 
(In reply to Amos Kong from comment #7)
> Hi Miroslav,
> 
> We add some selinux policy to effect read/write permission of
> /usr/bin/qemu-ga in guest.
> 

Which one?

> How can we enable/disable this single policy (only effect
> qemu-ga)?

You can add a local policy module with rules.

> enable/disable selinux by changing /etc/sysconfig/selinux will
> effect all the policies.
> 
> Thanks, Amos
Comment 9 Miroslav Grepl 2014-02-27 10:00:14 UTC 
You can do something like

semodule -n -i qemuga_local.pp
if /usr/sbin/selinuxenabled ; then
 /usr/sbin/load_policy
fi;
Comment 11 Amos Kong 2014-03-03 05:30:26 UTC 
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga
-rwxr-xr-x. root root system_u:object_r:virt_qemu_ga_exec_t:s0 /usr/bin/qemu-ga

* Disable qemu-ga policies by changing qemu-ga security context to default 'bin_t'
[root@localhost ~]# chcon -t bin_t /usr/bin/qemu-ga
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/qemu-ga

* Restart qemu-ga service
[root@localhost ~]# service qemu-guest-agent restart

* Restore security context to virt_qemu_ga_exec_t, the policies will effect.
[root@localhost ~]# restorecon /usr/bin/qemu-ga
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga
-rwxr-xr-x. root root system_u:object_r:virt_qemu_ga_exec_t:s0 /usr/bin/qemu-ga

Actually we need to enable the qemu-ga policies all the time, it both
enabled some useful(for security) AVC msg and suppressed some useless
(for legal behavior) AVC msg.
Comment 12 Miroslav Grepl 2014-03-03 09:40:42 UTC 
I would suggest to make virt_qemu_ga_t policy as permissive if there is a problem.

# semanage permissive -a virt_qemu_ga_t

will cause nothing is going to be blocked for this type and AVC msgs are generated.
Comment 13 Amos Kong 2014-03-17 10:07:14 UTC 
As we talked in maillist, I opened a new selinux bug [1] to add a new boolean to enable/disable the policies of qemu-ga, and we add document by release-note.
So close this qemu-kvm doc bug.


[1] Bug 1071981 - introduce a SELinux boolean to enable/disable guest file access from qemu-ga