Bug 631952

Summary: policy prevents qemu-kvm wrapper script
Product: Red Hat Enterprise Linux 6 Reporter: Alex Williamson <alex.williamson>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: ksrot, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:54:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Williamson 2010-09-08 18:14:18 UTC 
Description of problem:

Trying to create a simple wrapper:

$ cat /usr/libexec/qemu-kvm.foo
#!/bin/sh
exec /usr/libexec/qemu-kvm "$@"

And setting permissions via restorecon:

$ ls -Z /usr/libexec/qemu-kvm*
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/libexec/qemu-kvm
-rwxr-xr-x. root root system_u:object_r:qemu_exec_t:s0 /usr/libexec/qemu-kvm.foo

Results in exec_no_trans errors in audit.log.  audit2allow resolves the problem.  As the transition is safe, selinux should allow this by default.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-42.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1. See description above
2. virsh edit <guest domain> # point emulator at qemu-kvm.foo
3. virst start <guest domain>
  
Actual results:
Fail, audit.log error

Expected results:
Works

Additional info:

This is the change that seems to make it work:

module qemutxtimer 1.0;

require {
	type svirt_t;
	type qemu_exec_t;
	type qemu_t;
	class file execute_no_trans;
}

#============= qemu_t ==============
#!!!! This avc is allowed in the current policy

allow qemu_t qemu_exec_t:file execute_no_trans;

#============= svirt_t ==============
allow svirt_t qemu_exec_t:file execute_no_trans;
Comment 1 Daniel Walsh 2010-09-08 18:19:55 UTC 
Miroslav can you grab the updates for F14 which have fixes for this.
Comment 3 Miroslav Grepl 2010-09-16 15:57:13 UTC 
Fixed in selinux-policy-3.7.19-55.el6.noarch.
Comment 9 errata-xmlrpc 2011-05-19 11:54:57 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html