Bug 1594598

Summary: SELinux is preventing qemu-system-aar from 'search' accesses on the directory 1178.
Product: [Fedora] Fedora Reporter: Jeremy Harris <jeharris>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, jeharris, lvrabec, plautrba
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:a9afeb11bffae7fd79a7dd3fbb96465f531cb2db4ccbe704f336107471664919;
Fixed In Version: selinux-policy-3.14.1-36.fc28 selinux-policy-3.14.2-59.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-24 21:49:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeremy Harris 2018-06-24 22:32:52 UTC 
Description of problem:
On normal shutdown of VM.  Same issue occurs with a ppc VM; both that and this aarch64 VM under KVM
on an x86_64 Fedora 28 host.

Happens every shutdown.
SELinux is preventing qemu-system-aar from 'search' accesses on the directory 1178.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-aar should be allowed search access on the 1178 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-aar' --raw | audit2allow -M my-qemusystemaar
# semodule -X 300 -i my-qemusystemaar.pp

Additional Information:
Source Context                system_u:system_r:svirt_tcg_t:s0:c382,c451
Target Context                system_u:system_r:virtd_t:s0-s0:c0.c1023
Target Objects                1178 [ dir ]
Source                        qemu-system-aar
Source Path                   qemu-system-aar
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.16.16-300.fc28.x86_64 #1 SMP Sun
                              Jun 17 03:02:42 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2018-06-24 23:28:10 BST
Last Seen                     2018-06-24 23:28:10 BST
Local ID                      ee18276e-1164-41f5-9ffe-eb1798cf31e2

Raw Audit Messages
type=AVC msg=audit(1529879290.901:81455): avc:  denied  { search } for  pid=8131 comm="qemu-system-aar" name="1178" dev="proc" ino=1730648 scontext=system_u:system_r:svirt_tcg_t:s0:c382,c451 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0


Hash: qemu-system-aar,svirt_tcg_t,virtd_t,dir,search

Version-Release number of selected component:
selinux-policy-3.14.1-32.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.16.16-300.fc28.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2018-07-03 14:40:09 UTC 
Hi, 

Do you have some issues during shutdown process of VMs or you just see the SELinux denials? 

Thanks,
Lukas.
Comment 2 Jeremy Harris 2018-07-18 08:47:29 UTC 
(In reply to Lukas Vrabec from comment #1)
> Do you have some issues during shutdown process of VMs or you just see the
> SELinux denials? 

Purely the latter.  The VM closes down cleanly and there are no apparent problems
on the next startup.
Comment 3 Lukas Vrabec 2018-07-22 11:03:19 UTC 
Jeremy thanks for reply. 

I'll close it for know, if you'll be able to reproduce it, feel free to re-open this BZ. 

Lukas.
Comment 4 Jeremy Harris 2018-07-22 12:13:39 UTC 
It is fully repeatable.  Every time one of these two VMs is closed down, an abrt
report is generated on the host.
Comment 5 Fedora Update System 2018-07-25 22:30:54 UTC 
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
Comment 6 Fedora Update System 2018-07-26 16:32:53 UTC 
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
Comment 7 Fedora Update System 2018-07-29 03:24:40 UTC 
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Jeremy Harris 2018-07-30 08:22:07 UTC 
Problem still exists with selinux-policy-3.14.1-36.fc28.noarch
but the directory name is now "1191".
Comment 9 Jeremy Harris 2018-07-30 08:24:48 UTC 
Description of problem:
Closing down an aarch64 (emulated) VM

Version-Release number of selected component:
selinux-policy-3.14.1-36.fc28.noarch

Additional info:
reporter:       libreport-2.9.5
hashmarkername: setroubleshoot
kernel:         4.17.9-200.fc28.x86_64
type:           libreport
Comment 10 Ben Cotton 2019-05-02 19:32:28 UTC 
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 11 Lukas Vrabec 2019-05-15 07:00:16 UTC 
commit 50a45a0b447e73463ce7ce24d3bf5e7a8fa03a1f (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed May 15 08:59:53 2019 +0200

    Dontaudit svirt_tcg_t domain to read process state of libvirt BZ(1594598)
Comment 12 Fedora Update System 2019-05-18 11:05:25 UTC 
selinux-policy-3.14.2-59.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619
Comment 13 Fedora Update System 2019-05-19 10:49:49 UTC 
selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-38a1de7619
Comment 14 Fedora Update System 2019-05-24 21:49:26 UTC 
selinux-policy-3.14.2-59.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.