Bug 2093355
| Summary: | AVCs when trying to execute a command through qemu-ga ("guest-exec" command) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | VERIFIED --- | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | Jan Fiala <jafiala> |
| Priority: | medium | ||
| Version: | 8.6 | CC: | apeetham, coli, jinzhao, juzhang, lvrabec, marcandre.lureau, mmalik, phou, qizhu, virt-maint, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.9 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-118.el8 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Try to reproduce it on qemu side but didn't reproduce this issue. will try to run it on libvirt side. And actually, if /etc/sysconfig/qemu-ga file changed, qga.service should've been restarted, btw. maybe you did that but didn't write it down there, if the whole operations are correct and configurations are well. Yes sorry I restarts the service after changing /etc/sysconfig/qemu-ga. (In reply to Renaud Métrich from comment #2) > Yes sorry I restarts the service after changing /etc/sysconfig/qemu-ga. okay, I got it. Could you please provide the XML file you used to boot up VM? it would be better for us to reproduce the same issue. See discussion "qemu-ga guest-exec & SELinux" from selinux-fedora List: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/LWL4WVO42KVFGZZDXATPBUDTPU36S5BK/ Daniel Berrange said: "IMHO execution of external commands should only be allowed after toggling a SELinux boolean tunable." It looks like we should find a selinux solution. In Fedora first, before it can be backported. I am moving the bug back to selinux. Thanks I think there is no need for any additional SELinux boolean as long as the child of the service in charge of executing the command runs in the "unconfined domain". Merged in rawhide, we will consider it to backport to rhel 8.8 or 8.9. |
Description of problem: We have a customer trying to execute commands through qemu-agent, similarly to what VMWare provides with "vmrun": -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- $ virsh qemu-agent-command domain '{"execute":"guest-exec", ... -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Commands that are supposed to execute in a confined context (e.g. "mount") fail due to an AVC popping up: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(06/03/2022 15:39:26.449:72) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo type=SYSCALL msg=audit(06/03/2022 15:39:26.449:72) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55bff8ef9df9 a1=0x55bff8ed6780 a2=0x7ffeb34343a8 a3=0x8 items=0 ppid=1603 pid=1605 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(06/03/2022 15:39:26.449:72) : avc: denied { execute } for pid=1605 comm=qemu-ga name=mount dev="dm-0" ino=33712610 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This happens because the service, executing as "virt_qemu_ga_t", cannot execute commands because of missing rules in the policy (here above for "mount_exec_t"). The solution is similar to what was implemented for VMTools (BZ #1667016): we need to have a transition happening in qemu-ga when executing a command to something like "virt_qemu_ga_unconfined_t". This of course requires changes in the SELinux policy. Please sync with them. Version-Release number of selected component (if applicable): qemu-guest-agent-6.2.0-11.module+el8.6.0+14707+5aa4b42d.x86_64 How reproducible: Always Steps to Reproduce: 1. Disable blacklisting in /etc/sysconfig/qemu-ga #BLACKLIST_RPC=... 2. Restart the service 3. Execute a command from the host Actual results: AVC Expected results: No AVC Additional infos: A workaround (but it's not a viable solution in the long term) is to execute the service as an unconfined domain, e.g. "unconfined_service_t", which can be achieved using a shell script wrapper.