Bug 2132728

Summary: selinux blocks usage of qemu-guest-agent over vsock
Product: [Fedora] Fedora Reporter: Christophe Fergeau <cfergeau>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 38CC: berrange, cfergeau, crobinso, dwalsh, grepl.miroslav, lvrabec, mcascell, mmalik, omosnacek, ondrejj, pbonzini, philmd, pkoncity, rjones, virt-maint, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-38.8-2.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-09 22:53:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christophe Fergeau 2022-10-06 13:36:27 UTC 
I tried to run qemu-guest-agent over vsock using this unit file:

$ cat /etc/systemd/system/qemu-guest-agent.service 

[Unit]
Description=QEMU Guest Agent
IgnoreOnIsolate=True

[Service]
UMask=0077
EnvironmentFile=/etc/sysconfig/qemu-ga
ExecStart=/usr/bin/qemu-ga \
  --method=vsock-listen \
  --path=3:1024 \
  --blacklist=${BLACKLIST_RPC} \
  -F${FSFREEZE_HOOK_PATHNAME}
Restart=always
RestartSec=0

[Install]


'systemctl start qemu-guest-agent' fails unless I use 'setenforce 0':

$ LC_ALL=en_US.utf-8 sealert -l 55bbbb98-bcec-4f95-bc4e-0f9985a9f7c4
SELinux is preventing qemu-ga from create access on the vsock_socket Inconnu.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-ga should be allowed create access on the Inconnu vsock_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga
# semodule -X 300 -i my-qemuga.pp


Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:system_r:virt_qemu_ga_t:s0
Target Objects                Inconnu [ vsock_socket ]
Source                        qemu-ga
Source Path                   qemu-ga
Port                          <Unknown>
Host                          fedora36.ramen.dolet.fergeau.eu
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.15-1.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.15-1.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora36.ramen.dolet.fergeau.eu
Platform                      Linux fedora36.ramen.dolet.fergeau.eu
                              5.19.13-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Tue
                              Oct 4 15:42:43 UTC 2022 x86_64 x86_64
Alert Count                   6
First Seen                    2022-10-06 15:16:45 CEST
Last Seen                     2022-10-06 15:31:54 CEST
Local ID                      55bbbb98-bcec-4f95-bc4e-0f9985a9f7c4

Raw Audit Messages
type=AVC msg=audit(1665063114.844:460): avc:  denied  { create } for  pid=1310 comm="qemu-ga" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=vsock_socket permissive=1


Hash: qemu-ga,virt_qemu_ga_t,virt_qemu_ga_t,vsock_socket,create
Comment 1 Cole Robinson 2022-10-11 17:13:03 UTC 
Thanks for the report. I don't see any reason to not allow this in the selinux policy. It's a valid, if non-default, usecase.
Comment 2 Christophe Fergeau 2022-11-03 16:37:32 UTC 
I was able to get it to work using this selinux .te file:

module qemuga-vsock 1.0;

require {
	type virt_qemu_ga_t;
	class vsock_socket { bind create getattr listen accept read write };
}

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t self:vsock_socket { bind create getattr listen accept read write };
Comment 3 Ben Cotton 2023-02-07 15:12:43 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.
Comment 4 Fedora Update System 2023-03-04 19:54:08 UTC 
FEDORA-2023-eaebcb91e7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7
Comment 5 Fedora Update System 2023-03-05 03:10:21 UTC 
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-03-09 22:53:11 UTC 
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.