Bug 1690291

Summary: SELinux is preventing /usr/bin/qemu-ga from read access on mounted point
Product: Red Hat Enterprise Linux 8 Reporter: yafu <yafu>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: fjin, lizhu, lvrabec, mmalik, plautrba, ssekidde, xuzhang, zpytela
Target Milestone: rcKeywords: Regression
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-03 19:02:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yafu 2019-03-19 09:00:14 UTC 
DSELinux is preventing /usr/bin/qemu-ga from read access on the directory /mnt.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/mnt default label should be mnt_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /mnt

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that qemu-ga should be allowed read access on the mnt directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga
# semodule -X 300 -i my-qemuga.pp

Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /mnt [ dir ]
Source                        qemu-ga
Source Path                   /usr/bin/qemu-ga
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           filesystem-3.8-2.el8.x86_64
Policy RPM                    selinux-policy-3.14.1-61.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.18.0-80.el8.x86_64
                              #1 SMP Wed Mar 13 12:02:46 UTC 2019 x86_64 x86_64
Alert Count                   47
First Seen                    2019-03-19 03:14:15 EDT
Last Seen                     2019-03-19 04:44:59 EDT
Local ID                      aed26cc9-3f4d-42cc-8f9f-a33ac2c4bf53

Raw Audit Messages
type=AVC msg=audit(1552985099.106:128): avc:  denied  { read } for  pid=875 comm="qemu-ga" name="/" dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0


Hash: qemu-ga,virt_qemu_ga_t,unlabeled_t,dir,read



Additional info:
1.It works well with selinux-policy-3.13.1-229.el7.noarch.
Comment 1 Zdenek Pytela 2019-03-19 09:10:10 UTC 
Hi,

It looks like the /mnt directory has invalid label: The unlabeled_t label is usually displayed when a file was created in SELinux disabled state or when its actual label does not currently exist. Along with the restorecon plugin suggestion, you can fix the label with a single command:

  # /sbin/restorecon -v /mnt

However, for files and directories which are a part of base system it is very unusual. Did you install the system with SELinux enabled as it is by default? Are you able to reproduce the issue?
Comment 2 yafu 2019-03-19 09:22:47 UTC 
(In reply to Zdenek Pytela from comment #1)
> Hi,
> 
> It looks like the /mnt directory has invalid label: The unlabeled_t label is
> usually displayed when a file was created in SELinux disabled state or when
> its actual label does not currently exist. Along with the restorecon plugin
> suggestion, you can fix the label with a single command:
> 
>   # /sbin/restorecon -v /mnt
> 
> However, for files and directories which are a part of base system it is
> very unusual. Did you install the system with SELinux enabled as it is by
> default? Are you able to reproduce the issue?

Yes, before mount block device to /mnt, the label of /mnt is:
#ll -dZ /mnt/
drwxr-xr-x. 2 root root system_u:object_r:mnt_t:s0 6 Aug 12  2018 /mnt/

After mount block device to /mnt, the label of /mnt is:
# ll -dZ /mnt/
drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 22 Mar 19 15:13 /mnt/
Comment 3 Zdenek Pytela 2019-03-19 13:37:03 UTC 
What is the filesystem on the device mounted to /mnt? How was it created, does it support SELinux?
Comment 4 yafu 2019-03-20 03:23:34 UTC 
(In reply to Zdenek Pytela from comment #3)
> What is the filesystem on the device mounted to /mnt? How was it created,
> does it support SELinux?


I tested ext4 and xfs, created by mkfs.XXX /dev/XXX. And both can reproduce the issue.
Comment 7 Lukas Vrabec 2019-09-03 19:02:05 UTC 

*** This bug has been marked as a duplicate of bug 1747960 ***