Bug 1369693
| Summary: | [qemu-guest-agent] cmd: guest-set-user-password: child process has failed to set user password | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Zhengtong <zhengtli> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | knoel, lvrabec, mgrepl, mkolaja, mmalik, plautrba, pvrabec, qzhang, ssekidde, xuhan, xuwei, zhengtli |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-97.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 02:37:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Tried with closed SElinux, It works well. So the problem may related with how to let the cmd "guest-set-user-password" work under SElinux. There is a bug about qemu-ga running under SELinux. https://bugzilla.redhat.com/show_bug.cgi?id=1243458 This bug has been fixed before. So I mark the bug to be regression keyword. If this is not the same problem. Please change back. after fork/exec chpasswd checks selinux permissions: status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); and status = -1. There is nothing in log/messages. Moving to selinux-policy for further help/fix Hi, Could you run re-test the scenario in permissive mode: # setenforce 0 and after test attach output of: # ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent Thank you. Guest:
[root@localhost ~]# setenforce 0
[root@localhost ~]#
Host: guest agent:
{"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}}
{"return": {}}
Guest:
[root@localhost ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent
----
time->Fri Sep 2 20:59:23 2016
type=USER_AVC msg=audit(1472821163.758:116): pid=3062 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=passwd exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Sep 2 20:59:48 2016
type=USER_AVC msg=audit(1472821188.203:118): pid=3109 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=passwd exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Sep 2 21:00:01 2016
type=USER_AVC msg=audit(1472821201.682:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Hi, Could you load local policy and then try to reproduce it in enforcing state? 1. # setenforce 1 2. $ cat virt_qemu_passwd.cil (allow virt_qemu_ga_t self (passwd (passwd))) 3. # semodule -i virt_qemu_passwd.cil 4. reproduce the scenario. If it will work, I'll add fixes. Hi, It works with the given method.
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# cat virt_qemu_passwd.cil
(allow virt_qemu_ga_t self (passwd (passwd)))
[root@localhost ~]# semodule -i virt_qemu_passwd.cil
[root@localhost ~]#
{"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "MTIzNDU2"}}
{"return": {}}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: qga command "guest-set-user-password" can't get exepected result. Instead, it gives a error msg: "child process has failed to set user password" Version-Release number of selected component (if applicable): Host&guest kernel: 3.10.0-493.el7.ppc64le qemu-kvm-rhev-2.6.0-22.el7 How reproducible: 3/3 Steps to Reproduce: 1.Boot up guest with qemu-guest-agent params. /usr/libexec/qemu-kvm \ ... -device virtio-serial-pci,id=virtio_serial_pci0,bus=pci.0,addr=03,disable-legacy=off,disable-modern=on \ -chardev socket,path=/tmp/virtio_port-org.qemu.guest_agent.0-20160824-013223-NfyNFKcA,nowait,id=idNMrD6X,server \ -device virtserialport,bus=virtio_serial_pci0.0,name=org.qemu.guest_agent.0,chardev=idNMrD6X,id=id2ILF12 \ ... 2.After guest boot up. connect guest with nc tool, and send guest-set-user-password cmd [root@ibm-p8-rhevm-13 ~]# nc -U /tmp/virtio_port-org.qemu.guest_agent.0-20160824-013223-NfyNFKcA {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}} 3.Check the result of the command Actual results: Can't change the password of guest. {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}} {"error": {"class": "GenericError", "desc": "child process has failed to set user password"}} Expected results: The command can return "{}" , and the password can be changed. Additional info: stop the qemu-guest-agent.service , and run the qemu-ga application manually, It works well. Guest boot cmd: /usr/libexec/qemu-kvm \ -name 'avocado-vt-vm1' \ -sandbox off \ -machine pseries \ -nodefaults \ -vga std \ -device virtio-serial-pci,id=virtio_serial_pci0,bus=pci.0,addr=03,disable-legacy=off,disable-modern=on \ -chardev socket,path=/tmp/virtio_port-org.qemu.guest_agent.0-20160824-013223-NfyNFKcA,nowait,id=idNMrD6X,server \ -device virtserialport,bus=virtio_serial_pci0.0,name=org.qemu.guest_agent.0,chardev=idNMrD6X,id=id2ILF12 \ -device pci-ohci,id=usb1,bus=pci.0,addr=04 \ -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pci.0,addr=05,disable-legacy=off,disable-modern=on \ -drive id=drive_image1,if=none,snapshot=on,aio=threads,cache=none,format=qcow2,file=/home/staf-kvm-devel/workspace/usr/share/avocado/data/avocado-vt/images/RHEL-Server-7.3-ppc64le-virtio-scsi.qcow2 \ -device scsi-hd,id=image1,drive=drive_image1 \ -device virtio-net-pci,mac=9a:2b:2c:2d:2e:2f,id=id7nBMZ4,vectors=4,netdev=idcM2plM,bus=pci.0,addr=06,disable-legacy=off,disable-modern=on \ -netdev tap,id=idcM2plM,vhost=on \ -m 8192 \ -smp 8,maxcpus=8,cores=4,threads=1,sockets=2 \ -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \ -device usb-kbd \ -device usb-mouse \ -vnc :0 \ -rtc base=utc,clock=host \ -boot order=cdn,once=c,menu=off,strict=off \ -enable-kvm \ -monitor stdio