Bug 2181402

Summary: qemu-guest-agent couldn't write ssh-key to normal user
Product: Red Hat Enterprise Linux 9 Reporter: dehanmeng <demeng>
Component: selinux-policyAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: akrejcir, apeetham, kkostiuk, lizhu, lvrabec, mmalik, qizhu, rmetrich, ymankad, zpytela
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.18-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2226685 (view as bug list) Environment:
Last Closed: 2023-11-07 08:52:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2226685    

Comment 1 Milos Malik 2023-03-24 07:59:51 UTC 
Please collect SELinux denials that appeared during the Steps to Reproduce.

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

And attach them to this BZ.

Thank you.

Did the /home/fedora/.ssh directory exist before Steps to Reproduce?
Comment 2 Renaud Métrich 2023-03-24 09:19:42 UTC 
You may also strace qemu-ga with SELinux contexts, very useful for debugging:

# strace -fttTvyy -s 128 --secontext=all -o qemu-ga.strace -p $(pgrep qemu-ga)

Using "all" will shows full context + eventual mismatches (just in case some file is not labeled properly, to avoid false positives).
Comment 4 dehanmeng 2023-03-27 02:42:50 UTC 
(In reply to Milos Malik from comment #1)
> Please collect SELinux denials that appeared during the Steps to Reproduce.
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> 
> And attach them to this BZ.

attachment has been updated and named as 'denied.txt'.
> 
> Thank you.
> 
> Did the /home/fedora/.ssh directory exist before Steps to Reproduce?

Definitely yes.
Comment 17 Nikola Knazekova 2023-06-14 15:56:48 UTC 
Thank you. 

What is the output of this? 
# ausearch -m avc -ts today | audit2allow
Comment 19 Nikola Knazekova 2023-06-19 12:08:51 UTC 
Thank you, 

Can you please enable the boolean:
# semanage boolean -m --on virt_qemu_ga_manage_ssh

and run your tests, in both SELinux modes: 
enforcing: # setenforce 1

then permissive: # setenforce 0

And check denials?
Comment 21 Nikola Knazekova 2023-07-03 08:22:44 UTC 
Thank you,

PR: https://github.com/fedora-selinux/selinux-policy/pull/1772
Comment 37 Nikola Knazekova 2023-07-24 11:23:19 UTC 
PR with new fixes is merged: https://github.com/fedora-selinux/selinux-policy/pull/1788.

Commits to backport:
4cffc71d2 Boolean: Allow virt_qemu_ga create ssh directory
19e34245f Allow virt_qemu_ga_t create .ssh dir with correct label
Comment 48 errata-xmlrpc 2023-11-07 08:52:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617