Bug 2212731

Summary: [RFE] add rules to make qemu-kvm-ui-dbus work in enforcing mode
Product: Red Hat Enterprise Linux 9 Reporter: Sandro Bonazzola <sbonazzo>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: RHIVOS 1.0CC: lvrabec, mmalik, nknazeko, zpytela
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-05 08:37:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2207940    

Description Sandro Bonazzola 2023-06-06 07:37:55 UTC 
Description of problem:

With bug #2207940 we are introducing a new qemu-kvm feature that requires new selinux rules to work properly in enforcing mode.

selinux denials are available at https://bugzilla.redhat.com/attachment.cgi?id=1967827

For instructions on how to get the test packages and the testing procedure please see bug #2207940
Comment 2 Sandro Bonazzola 2023-06-29 09:01:15 UTC 
Tested 20230628 rebase from https://copr.fedorainfracloud.org/coprs/g/centos-automotive-sig/dui/builds/

on a clean CentOS Stream 9 system as root user and worked flawlessly without any selinux denial.
selinux-policy-targeted-38.1.15-1.el9.noarch

# cat run-script.sh 
#!/usr/bin/bash

/usr/libexec/qemu-kvm \
       --hda /var/lib/libvirt/images/centos.qcow2 \
       -display dbus -device virtio-vga \
       -cpu host -m 4G -smp 2 -enable-kvm \
       --cdrom /var/lib/libvirt/images/CentOS-Stream-9-latest-x86_64-boot.iso

# cat view.sh 
podman run -e DISPLAY \
       -v /run/user/0/:/run/user/0/ \
       -e XDG_RUNTIME_DIR=/run/user/0 --ipc host \
       -e DBUS_SESSION_BUS_ADDRESS \
       --mount "type=bind,$(echo "${DBUS_SESSION_BUS_ADDRESS}" | sed -e 's/unix:path=\(.\+\)/src=\1,dst=\1/')" \
       --security-opt label=disable \
       --privileged --rm -it \
       quay.io/alesgar/libmks

Perhaps we can close this BZ.
Comment 3 Sandro Bonazzola 2023-07-05 08:37:13 UTC 
Closing as per comment #2
Comment 4 Red Hat Bugzilla 2024-01-28 04:25:33 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days