Bug 1426106

Summary: SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 3278.
Product: Red Hat Enterprise Linux 7 Reporter: Han Han <hhan>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: dominick.grift, dwalsh, dyuan, extras-qa, lslebodn, lvrabec, mgrepl, mmalik, plautrba, pmoore, pvrabec, ssekidde, xuzhang, yafu, yanqzhan
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:41235b9e601922d1e9cf5875fed96d15a3f9fe8aec8edb05f2b837974fbb0e06;VARIANT_ID=server;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1413298 Environment:
Last Closed: 2017-08-01 15:22:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1413298    
Bug Blocks:    
Attachments:
Description Flags
The script of reproducing none

Description Han Han 2017-02-23 08:17:15 UTC
Created attachment 1256832 [details]
The script of reproducing

+++ This bug was initially created as a clone of Bug #1413298 +++

Description of problem:
I turned off virtual machine.

BTW the searched pid 3278 was pid of libvirt

sh# find /proc/ -inum 32545
/proc/3278
sh# ls -l /proc/3278/exe 
lrwxrwxrwx. 1 root root 0 Jan 13 18:45 /proc/3278/exe -> /usr/sbin/libvirtd
SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 3278.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed search access on the 3278 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c180,c609
Target Context                system_u:system_r:virtd_t:s0-s0:c0.c1023
Target Objects                3278 [ dir ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.15-300.fc25.x86_64 #1 SMP Thu
                              Dec 15 23:10:23 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-14 17:39:01 CET
Last Seen                     2017-01-14 17:39:01 CET
Local ID                      5417c5fe-d046-4191-8de3-20d5c6cf25e3

Raw Audit Messages
type=AVC msg=audit(1484411941.773:906): avc:  denied  { search } for  pid=21632 comm="qemu-system-x86" name="3278" dev="proc" ino=32545 scontext=system_u:system_r:svirt_t:s0:c180,c609 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0


Hash: qemu-system-x86,svirt_t,virtd_t,dir,search

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.8.15-300.fc25.x86_64
type:           libreport

AVC deny occurs when destroying the VM.
This bug can be reproduced on:
selinux-policy-3.13.1-121.el7.noarch
qemu-kvm-rhev-2.8.0-4.el7.x86_64
libvirt-3.0.0-2.el7.x86_64

Not reproduced on RHEL7.3:
selinux-policy-3.13.1-102.el7_3.15.noarch
qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64
libvirt-2.0.0-10.el7_3.4.x86_64

Marked as regression.

Comment 5 errata-xmlrpc 2017-08-01 15:22:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861