Bug 1658239

Summary: SELinux is preventing qemu-ga from read access on the file dev.
Product: Red Hat Enterprise Linux 7 Reporter: Paul Stauffer <paulds>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-14 12:34:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Stauffer 2018-12-11 15:16:07 UTC 
Starting with the release of selinux-policy-3.13.1-229 about a week ago, all of our EL7 VMs have been flooding our logs with SELinux denials related to the QEMU Guest Agent accessing "dev":


SELinux is preventing qemu-ga from read access on the file dev.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-ga should be allowed read access on the dev file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga
# semodule -i my-qemuga.pp


Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                dev [ file ]
Source                        qemu-ga
Source Path                   qemu-ga
Port                          <Unknown>
Host                          [redacted]
Source RPM Packages           qemu-guest-agent-2.12.0-2.el7.x86_64
Target RPM Packages           filesystem-3.2-25.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     [redacted]
Platform                      Linux [redacted] 3.10.0-862.14.4.el7.x86_64
                              #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64
Alert Count                   7088
First Seen                    2018-12-05 14:07:57 EST
Last Seen                     2018-12-11 07:59:58 EST
Local ID                      813a2bf4-7850-43b5-af02-399b055f7550

Raw Audit Messages
type=AVC msg=audit(1544533198.575:1433387): avc:  denied  { read } for  pid=28018 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1544533198.575:1433387): arch=x86_64 syscall=open success=no exit=EACCES a0=55785c614dca a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=28018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: qemu-ga,virt_qemu_ga_t,proc_net_t,file,read


These denials come in a few different closely-related variants.  Some (as above) use the form "preventing qemu-ga from", whereas others use the form "preventing /usr/bin/qemu-ga from".  Some denials (as above) are for "read access on the file dev.", whereas others are for "getattr access on the file /proc/<pid>/net/dev.", and yet others are for "open access on the file /proc/<pid>/net/dev.".  These later two varients suggest that this is likely the absolute path of the file "dev" mentioned in the initial variant.

At a quick glance, the QEMU Guest Agent seems to be working fine despite these denials.  It's unclear what functionality might be impacted by these denials, and thus it's hard to judge the severity of this bug.

See also Bug 1592145 which may be the same issue already fixed in Fedora.
Comment 2 Zdenek Pytela 2019-03-14 12:34:33 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.