Bug 737790

Summary: SELinux is preventing /usr/bin/spice-vdagent "write" access on spice-vdagent-sock
Product: Red Hat Enterprise Linux 6 Reporter: Qunfang Zhang <qzhang>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: low    
Version: 6.2CC: dwalsh, hdegoede, juzhang, mgrepl, mhasko, mkrcmari, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-112.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 682416 Environment:
Last Closed: 2011-12-06 10:18:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 648553, 682416    
Bug Blocks:    

Comment 2 Miroslav Grepl 2011-09-13 05:59:52 UTC 
What exactly are you seeing? What AVC? The policy should work.
Comment 3 Qunfang Zhang 2011-09-13 06:24:44 UTC 
(In reply to comment #2)
> What exactly are you seeing? What AVC? The policy should work.

The problem is:
I installed a RHEL6.2 guest and load virtio serial driver, qxl driver and spice vdagent service inside guest.
But on the guest login screen, the mouse will be captured by the guest. After login to guest desktop, it can move out from guest freely.

Maybe I cloned a wrong bug, sorry for make the confusion and please correct me for that.
Comment 4 Qunfang Zhang 2011-09-13 06:27:13 UTC 
Additional info based on Comment 3.
I edit /etc/sysconfig/selinux in the vm and set "SELINUX=permissive" there and then reboot. After that the mouse should work correctly on the login screen.
Comment 5 Hans de Goede 2011-09-13 07:47:20 UTC 
(In reply to comment #4)
> Additional info based on Comment 3.
> I edit /etc/sysconfig/selinux in the vm and set "SELINUX=permissive" there and
> then reboot. After that the mouse should work correctly on the login screen.

Right, I deliberately wrote should there, so the question is, does it work on the login screen after making that change?

Because if it does, then there still is a selinux issue, but if it doesn't then there is something else amiss.
Comment 6 Qunfang Zhang 2011-09-13 07:56:03 UTC 
Hi, Hans
After modify the /det/sysconfig/selinux file and reboot, it works well on the login screen and mouse will not be captured any more.
Comment 7 Miroslav Grepl 2011-09-13 08:28:47 UTC 
Ok, what avc are you getting?

# ausearch -m avc -ts today
Comment 8 Qunfang Zhang 2011-09-13 08:56:13 UTC 
(In reply to comment #7)
> Ok, what avc are you getting?
> 
> # ausearch -m avc -ts today

Hi, Miroslav
[root@dhcp-66-83-73 ~]# ausearch -m avc -ts today
<no matches>
Comment 9 Miroslav Grepl 2011-09-13 09:53:33 UTC 
Ok, please boot in enforcing mode and execute the following steps

# setenforce 0
# semodule -DB

re-test it and

# ausearch -m avc -ts recent
Comment 10 Marian Krcmarik 2011-09-14 14:35:56 UTC 
(In reply to comment #9)
> Ok, please boot in enforcing mode and execute the following steps
> 
> # setenforce 0
> # semodule -DB
> 
> re-test it and
> 
> # ausearch -m avc -ts recent

70880-time->Wed Sep 14 10:33:26 2011
70911:type=SYSCALL msg=audit(1316010806.700:196): arch=c000003e syscall=4 success=no exit=-13 a0=406068 a1=7fff6f48e2e0 a2=7fff6f48e2e0 a3=7fff6f48dfb0 items=0 ppid=2652 pid=2656 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm="spice-vdagent" exe="/usr/bin/spice-vdagent" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)
71295:type=AVC msg=audit(1316010806.700:196): avc:  denied  { getattr } for  pid=2656 comm="spice-vdagent" path="/dev/vport0p2" dev=devtmpfs ino=9980 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
Comment 11 Marian Krcmarik 2011-09-14 16:08:18 UTC 
The latest spice-vdagent had to change its behaviour, I downgraded it to spice-vdagent-0.6.3-8.el6 version (the one we tested and tuned selinux policy last time) and the problem does not occur there.
Comment 12 Hans de Goede 2011-09-15 08:47:35 UTC 
(In reply to comment #11)
> The latest spice-vdagent had to change its behaviour, I downgraded it to
> spice-vdagent-0.6.3-8.el6 version (the one we tested and tuned selinux policy
> last time) and the problem does not occur there.

Right, the fix for bug 681797 makes the per user (and gdm) xsession agent process
retry connecting to the system level agentd process, to avoid it doing this
indefinitely on systems which don't have the agent channel, it now also does
a stat call on /dev/virtio-ports/com.redhat.spice.0 (which is a symlink to a
/dev/vport#p#) to check that the system is configured with the agent channel.

Seeing the AVC I believe this change is where this new AVC comes from.

Note it does not need actual access to the device, it just needs to be able to stat it.
Comment 13 Miroslav Grepl 2011-09-15 11:13:45 UTC 
OK.

Marian or Qunfang,
if you execute

# grep virtio /var/log/audit/audit.log |audit2allow -M myvdagent
# semodule -i myvdagent.pp


does it work then?
Comment 14 Marian Krcmarik 2011-09-15 11:51:53 UTC 
(In reply to comment #13)
> OK.
> 
> Marian or Qunfang,
> if you execute
> 
> # grep virtio /var/log/audit/audit.log |audit2allow -M myvdagent
> # semodule -i myvdagent.pp
> 
> 
> does it work then?

Yes
Comment 15 Miroslav Grepl 2011-09-15 11:56:22 UTC 
Great. Thanks.
Comment 21 errata-xmlrpc 2011-12-06 10:18:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html