Bug 2219795
| Summary: | AVC created when named-chroot is enabled and "virsh domfsinfo" command is used | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | qemu-kvm | Assignee: | Kostiantyn Kostiuk <kkostiuk> |
| qemu-kvm sub component: | Guest Agent | QA Contact: | dehanmeng <demeng> |
| Status: | NEW --- | Docs Contact: | |
| Severity: | low | ||
| Priority: | low | CC: | jinzhao, juzhang, kkostiuk, qizhu, stefan.zwijsen, virt-maint, yvugenfi |
| Version: | 8.8 | Flags: | demeng:
needinfo?
(kkostiuk) |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
NB: May need a RHEL-9 clone too. |
Description of problem: When named-chroot.service is started, the service creates additional global mounts: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # mount | grep chroot [...] /dev/mapper/rhel-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Executing "virsh domfsinfo" then generates an AVC on qemu-ga agent with default policy (i.e. with "virt_qemu_ga_read_nonsecurity_files" not enabled) when qemu-ga queries the above mount, as seen in the strace below: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 1016 [virt_qemu_ga_t] 13:28:04.673979 statfs("/var/named/chroot/var/named" [named_zone_t], 0x7ffc551cefd0) = -1 EACCES (Permission denied) <0.000042> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- AVC: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(07/05/2023 13:28:04.672:1448) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo type=SYSCALL msg=audit(07/05/2023 13:28:04.672:1448) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x55fcf1a98230 a1=0x7ffc551cefd0 a2=0x7fc9d10dec20 a3=0x55fcf1a84bb0 items=0 ppid=1 pid=1016 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(07/05/2023 13:28:04.672:1448) : avc: denied { search } for pid=1016 comm=qemu-ga name=named dev="dm-0" ino=108035 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actually more AVCs are seen just before this one, all related to querying mount point. I think enabling boolean virt_qemu_ga_read_nonsecurity_files is overkill here. I believe adding a dontaudit rule would be preferred, but it's up to you to decide. Please discuss this with SELinux team on the best solution. Version-Release number of selected component (if applicable): qemu-guest-agent-6.2.0 How reproducible: Always Steps to Reproduce: 1. Install and start named-chroot service # yum -y install bind-chroot # systemctl start named-chroot 2. Query the domain from the host $ virsh domfsinfo <domain> Actual results: Proper result in host but multiple time the AVC above Expected results: No AVC