Bug 1274958

Summary:	SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup.
Product:	[Fedora] Fedora	Reporter:	poma <pomidorabelisima>
Component:	systemd	Assignee:	systemd-maint
Status:	CLOSED DEFERRED	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	high
Version:	rawhide	CC:	cfergeau, dwalsh, johannbg, lnykryn, lvrabec, msekleta, pomidorabelisima, s, systemd-maint, zbyszek
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-01-16 09:12:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description poma 2015-10-24 04:42:47 UTC

Description of problem:
SE breaks spice-vdagent overall functionality.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-155.fc24.noarch

How reproducible:
101%

Steps to Reproduce:
1. Run Fedora-Live-Xfce-x86_64-rawhide-20151022.iso within libvirt domain.

Actual results:
spice-vdagent doesn't work.

Expected results:
spice-vdagent works.

Additional info:

# sealert -a /var/log/audit/audit.log 
100% done
found 4 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.3.0-0.rc6.git1.1.fc24.x86_64 #1
                              SMP Tue Oct 20 15:25:10 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-10-24 00:14:21 EDT
Last Seen                     2015-10-24 00:15:05 EDT
Local ID                      d837d7be-1b97-44ea-bb49-cdbfb9974702

Raw Audit Messages
type=AVC msg=audit(1445660105.724:741): avc:  denied  { getattr } for  pid=1202 comm="spice-vdagentd" name="/" dev="tmpfs" ino=1181 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr

--------------------------------------------------------------------------------

# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

# cat mypol.te 

module mypol 1.0;

require {
	type tmpfs_t;
	type vdagent_t;
	class filesystem getattr;
}

#============= vdagent_t ==============
allow vdagent_t tmpfs_t:filesystem getattr;

Comment 1 Miroslav Grepl 2015-11-11 08:20:39 UTC

Could you please add your output of 

ls -lZ /sys/fs/cgroup/

Comment 2 poma 2015-11-13 17:41:30 UTC

# systemctl status spice-vdagentd.service
● spice-vdagentd.service - Agent daemon for Spice guests
   Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2015-11-13 12:20:09 EST; 13min ago
  Process: 989 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/SUCCESS)
  Process: 984 ExecStartPre=/bin/rm -f /var/run/spice-vdagentd/spice-vdagent-sock (code=exited, status=0/SUCCESS)
 Main PID: 998 (spice-vdagentd)
   CGroup: /system.slice/spice-vdagentd.service
           └─998 /usr/sbin/spice-vdagentd

Nov 13 12:20:08 localhost systemd[1]: Starting Agent daemon for Spice guests...
Nov 13 12:20:09 localhost systemd[1]: Started Agent daemon for Spice guests.
Nov 13 12:20:17 localhost spice-vdagentd[998]: Error getting session for pid 1831: Permission denied


# ps uq 1831
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
liveuser  1831  0.0  0.1  38948  2056 ?        Ss   12:20   0:00 /usr/bin/spice-vdagent


# grep -i spice /var/log/audit/audit.log 
type=SERVICE_START msg=audit(1447435209.085:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=spice-vdagentd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1447435217.843:504): avc:  denied  { getattr } for  pid=998 comm="spice-vdagentd" name="/" dev="tmpfs" ino=10199 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


# ll -Z /sys/fs/cgroup/
total 0
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 blkio
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  11 Nov 13 12:19 cpu -> cpu,cpuacct
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  11 Nov 13 12:19 cpuacct -> cpu,cpuacct
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 cpu,cpuacct
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 cpuset
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 devices
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 freezer
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 hugetlb
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 memory
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  16 Nov 13 12:19 net_cls -> net_cls,net_prio
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 net_cls,net_prio
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  16 Nov 13 12:19 net_prio -> net_cls,net_prio
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 perf_event
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 pids
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 systemd


# rpm -q selinux-policy-targeted 
selinux-policy-targeted-3.13.1-157.fc24.noarch


Tested with:
Fedora-Live-Xfce-x86_64-rawhide-20151110.iso

Comment 3 Miroslav Grepl 2015-11-20 12:43:34 UTC

Thank you. The problem is with /sys/fs/cgroup/ labeling.

Comment 4 poma 2015-12-08 17:45:37 UTC

Pan Vrabec, here's another one bothering us for a long time, if you can fix it also.

# sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-162.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.4.0-0.rc3.git4.1.fc24.x86_64 #1
                              SMP Fri Dec 4 16:10:15 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-08 12:27:53 EST
Last Seen                     2015-12-08 12:27:53 EST
Local ID                      3e331eed-9799-4e5d-9de9-889d4bc53368

Raw Audit Messages
type=AVC msg=audit(1449595673.876:163): avc:  denied  { getattr } for  pid=1057 comm="spice-vdagentd" name="/" dev="tmpfs" ino=195 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr

Comment 5 Miroslav Grepl 2015-12-23 13:23:12 UTC

Moving to systemd. They need to also fix labeling for /sys/fs/cgroup mount point.

Comment 6 poma 2016-01-16 09:12:18 UTC

Since there is no response from the both, upstream and downstream.