Bug 1867115

Summary: qemu-pr-helper.service: Failed to execute command: Permission denied
Product: Red Hat Enterprise Linux 8 Reporter: yafu <yafu>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: berrange, juzhang, lvrabec, mmalik, nknazeko, plautrba, ssekidde
Target Milestone: rcKeywords: AutoVerified, Regression, Triaged
Target Release: 8.3Flags: lvrabec: needinfo?
pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:57:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yafu 2020-08-07 11:31:15 UTC 
Description of problem:
qemu-pr-helper.service: Failed to execute command: Permission denied


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-51.el8.noarch
qemu-kvm-5.0.0-2.module+el8.3.0+7379+0505d6ca.x86_64

How reproducible:
100%

Steps to Reproduce:
1.#systemctl start qemu-pr-helper

2.# systemctl status qemu-pr-helper
● qemu-pr-helper.service - Persistent Reservation Daemon for QEMU
   Loaded: loaded (/usr/lib/systemd/system/qemu-pr-helper.service; static; vendor preset: disabled)
   Active: failed (thawing) (Result: exit-code) since Fri 2020-08-07 07:27:53 EDT; 5s ago
  Process: 34400 ExecStart=/usr/libexec/qemu-pr-helper (code=exited, status=203/EXEC)
 Main PID: 34400 (code=exited, status=203/EXEC)


3.Check the audit log:
#ausearch -m avc
----
time->Fri Aug  7 07:27:53 2020
type=PROCTITLE msg=audit(1596799673.007:7367): proctitle="(r-helper)"
type=SYSCALL msg=audit(1596799673.007:7367): arch=c000003e syscall=59 success=no exit=-13 a0=56065b4af170 a1=56065b4257e0 a2=56065b32a5f0 a3=56065b2e95d0 items=0 ppid=1 pid=34400 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(r-helper)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1596799673.007:7367): avc:  denied  { execute } for  pid=34400 comm="(r-helper)" name="qemu-pr-helper" dev="dm-0" ino=134643336 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:qemu_exec_t:s0 tclass=file permissive=0



Actual results:


Expected results:
Should start qemu-pr-helper service successfully.

Additional info:
Comment 1 yafu 2020-08-07 11:47:02 UTC 
With qemu-kvm-5.0.0-2.module+el8.3.0+7379+0505d6ca.x86_64, the selinux label of qemu-pr-helper is:
# ll -Z /usr/libexec/qemu-pr-helper 
-rwxr-xr-x. 1 root root system_u:object_r:qemu_exec_t:s0 686360 Jul 15 16:57 /usr/libexec/qemu-pr-helper

with qemu-kvm-4.2.0-29.module+el8.2.1+7297+a825794d.x86_64, the selinux label of qemu-pr-helper is:
# ll -Z /usr/bin/qemu-pr-helper 
-rwxr-xr-x. 1 root root system_u:object_r:virtd_exec_t:s0 661024 Jul  7 16:48 /usr/bin/qemu-pr-helper
Comment 2 Milos Malik 2020-08-07 12:28:36 UTC 
Just to be clear, the location of qemu-pr-helper has changed (comparing qemu-kvm-4.2 and qemu-kvm-5.0).
Comment 3 Zdenek Pytela 2020-08-07 12:40:18 UTC 
Nikola,

Are you aware of this change? Will you be handling bugs like this?
Comment 4 Zdenek Pytela 2020-08-07 12:42:42 UTC 
(In reply to yafu from comment #1)
> With qemu-kvm-5.0.0-2.module+el8.3.0+7379+0505d6ca.x86_64, the selinux label
> of qemu-pr-helper is:
> # ll -Z /usr/libexec/qemu-pr-helper 
> -rwxr-xr-x. 1 root root system_u:object_r:qemu_exec_t:s0 686360 Jul 15 16:57
> /usr/libexec/qemu-pr-helper
> 
> with qemu-kvm-4.2.0-29.module+el8.2.1+7297+a825794d.x86_64, the selinux
> label of qemu-pr-helper is:
> # ll -Z /usr/bin/qemu-pr-helper 
> -rwxr-xr-x. 1 root root system_u:object_r:virtd_exec_t:s0 661024 Jul  7
> 16:48 /usr/bin/qemu-pr-helper
Hi,

What is the target release for the updated qemu-kvm package?
Comment 6 Zdenek Pytela 2020-08-07 15:03:13 UTC 
Lukas,

Is this a bz which needs to be fixed in RHEL 8.3?


In the meantime, I've submitted a PR to address the issue in Fedora:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/321
Comment 14 Nikola Knazekova 2020-08-20 10:54:25 UTC 
(In reply to Zdenek Pytela from comment #3)
> Nikola,
> 
> Are you aware of this change? Will you be handling bugs like this?

Zdenek,
yes I am aware and I can handle these bugs.
Comment 25 errata-xmlrpc 2020-11-04 01:57:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528