Bug 1927639
| Summary: | AVC Denial on qemu-ga Fedora CoreOS 33.20210201.10.0 / Fedora CoreOS 34 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Sandro Bonazzola <sbonazzo> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 34 | CC: | cdwertma, dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, travier, vmojzis, vrutkovs, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: |
OKD 4.6 / Fedora CoreOS 33.20210201.10.0
|
|
| Last Closed: | 2022-06-08 06:20:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Still there in Fedora CoreOS 34 OSTREE_VERSION='49.34.202109261048-0'
[ 1560.245963] audit: type=1400 audit(1632734270.143:863): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1570.444060] audit: type=1400 audit(1632734280.343:864): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1580.628744] audit: type=1400 audit(1632734290.528:865): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1590.822643] audit: type=1400 audit(1632734300.721:866): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1601.028105] audit: type=1400 audit(1632734310.928:869): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1611.247624] audit: type=1400 audit(1632734321.148:870): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1621.427527] audit: type=1400 audit(1632734331.328:871): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1631.610565] audit: type=1400 audit(1632734341.512:872): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1641.786146] audit: type=1400 audit(1632734351.687:873): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
[ 1651.972648] audit: type=1400 audit(1632734361.874:876): avc: denied { search } for pid=840 comm="qemu-ga" name="containers" dev="sda4" ino=39846016 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0
Workaround: # echo '(allow virt_qemu_ga_t container_var_lib_t (dir (search)))' >local_virtqemu_ga.cil # semodule -i local_virtqemu_ga.cil This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. In my understanding this is caused by OKD's regular execution of the "guest-get-fsinfo" check against the qemu guest agent, and the presence of a running container on the VM (mounted filesystem at /var/lib/containers/storage/overlay). It looks like a fix was merged here: https://github.com/fedora-selinux/selinux-policy-contrib/pull/317 On RHEL 8.5 I was able to suppress the AVC denials by setting: setsebool -P virt_qemu_ga_read_nonsecurity_files on I hope this helps! This message is a reminder that Fedora Linux 34 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '34'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 34 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07. Fedora Linux 34 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. Thank you for reporting this bug and we are sorry it could not be fixed. |
Running Fedora CoreOS 33.20210201.10.0 within a VM hosted on oVirt. Journal shows every 10 seconds: AVC avc: denied { search } for pid=696 comm="qemu-ga" name="containers" dev="sda4" ino=119537792 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0 Reproduction steps: - Deploy OKD 4.6 or OKD 4.7 on top of oVirt (Bare metal UPI used in this specific case) - Look at workers journal - See AVC denials Expected behavior: After installation no denials should happen: either the policy needs a fix or the qemu-ga shouldn't access the resource. Actual behavior: Journal being spammed by AVC denials System details: Bare Metal UPI on top of KVM VMs managed by oVirt Fedora CoreOS version: 33.20210201.10.0 Initially opened as https://github.com/coreos/fedora-coreos-tracker/issues/733