Bug 1571202
| Summary: | SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomáš Golembiovský <tgolembi> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | high | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | high | |||
| Version: | 7.5 | CC: | agajania, bram.jezeer, lvrabec, mgrepl, mjahoda, mmalik, mthacker, paulds, plautrba, redhat-bugzilla, rik.theys, robert.scheck, simon.jung, ssekidde, toneata, usurse, wattersm, zpytela | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Previously, the SELinux security policy for the QEMU guest agent was too tight and certain rules were missing. As a consequence, the qemu-guest-agent process was not able to read and lock the /run/utmp file. With this update, the missing rules have been added to the policy, and qemu-guest-agent is now able to read and lock /run/utmp.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1631788 (view as bug list) | Environment: | ||
| Last Closed: | 2018-10-30 10:03:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1631788 | |||
I don't see any specific package versions mentioned here, but with the release of qemu-guest-agent-2.8.0-2.el7_5.1.x86_64 a few days ago, which includes the comment "Backport some features to 2.8 in RHEL 7.5" in its changelog, all of my EL7 VMs have started throwing the AVC denial shown above every few seconds. I'm not sure exactly what the implications are of the guest agent not being allowed to read from utmp (at a glance, basic agent functions appear to be working) so I'm not sure how serious this us, aside from a massive flood of logs. I note that this bug is still ON_QA. Should this have been marked as a blocker for Bug 1598210? (In reply to Paul Stauffer from comment #3) > I'm not sure exactly what the implications are of the guest agent not being > allowed to read from utmp (at a glance, basic agent functions appear to be > working) so I'm not sure how serious this us, aside from a massive flood of > logs. The issue guest-get-users command does not work as QEMU-GA cannot get list of the users. > > I note that this bug is still ON_QA. Should this have been marked as a > blocker for Bug 1598210? Maybe it should have, but that depends on the difficulty of the fix. We certainly wouldn't want to block the release of the other working features because of this. *** Bug 1618839 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 Still seeing this on servers running RHEL 7.6. For example, the following error is shown in the audit logs repeatedly.
type=PROCTITLE msg=audit(1550172885.138:415972): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63
type=AVC msg=audit(1550172885.138:415973): avc: denied { read } for pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
(In reply to Michael Watters from comment #16) > Still seeing this on servers running RHEL 7.6. For example, the following > error is shown in the audit logs repeatedly. > > type=PROCTITLE msg=audit(1550172885.138:415972): > proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D7 > 3657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D > 752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652 > D6F70656E2C67756573742D66696C652D63 > type=AVC msg=audit(1550172885.138:415973): avc: denied { read } for > pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 > scontext=system_u:system_r:virt_qemu_ga_t:s0 > tcontext=system_u:object_r:proc_net_t:s0 tclass=file I believe that is bug #1630347. |
We are backporting several features of qemu-guest-agent into RHEL 7.5 and there appears to be a selinux issue where the agent cannot access utmp: Content of audit.log: type=AVC msg=audit(1524563196.869:178): avc: denied { read } for pid=1327 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13654 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1524563196.869:178): arch=c000003e syscall=2 success=no exit=-13 a0=7f632f9db048 a1=80000 a2=7f632f9db039 a3=0 items=0 ppid=1 pid=1327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=PROCTITLE msg=audit(1524563196.869:178): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63