Bug 839831

Summary: deny qemu guest agent read/write operations by default
Product: Red Hat Enterprise Linux 6 Reporter: Luiz Capitulino <lcapitulino>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: akong, areis, berrange, dwalsh, mmalik, qzhang, rhod
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-193.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 875666 (view as bug list) Environment:
Last Closed: 2013-02-21 08:25:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 831387, 839832, 875666, 1034082    
Attachments:
Description Flags
initial policy none

Description Luiz Capitulino 2012-07-13 00:50:13 UTC 
QEMU provides a daemon called the guest agent (or qemu-ga). This daemon runs on the guest and executes commands on behalf of processes running on the host.

The guest agent provides a set of commands to read and write arbitrary guest files. It runs with root privileges.

We want to deny this ability to read/write guest files with SELinux in RHEL6.4 by default.

Additionally, it's important to note the following:

o It would be very nice to have a "qemu_guest_agent_read_any" boolean for the SELinux policy to allow arbitrary read by the daemon

o qemu-ga reads and writes to a few specific files in other to function properly, these files are:
  - the device used to talk with the host processes (default: /dev/virtio-ports/org.qemu.guest_agent.0)
  - the log file (default: /var/log/qemu-ga.log)
  - the pid file (default: /var/run/qemu-ga.pid)

In RHEL6.3, the qemu-ga package is qemu-guest-agent-0.12.1.2-2.295.el6.x86_64.rpm. We also have the following upstream wiki page (which is a bit out-dated, but mostly correct):

 http://wiki.qemu.org/Features/QAPI/GuestAgent
Comment 1 Miroslav Grepl 2012-07-13 06:45:53 UTC 
Thanks for your description. Also I would like to see some AVC msgs?

So the daemon is started by a service script?
Comment 2 Luiz Capitulino 2012-07-16 13:26:12 UTC 
(In reply to comment #1)
> Thanks for your description. Also I would like to see some AVC msgs?

I'll post them shortly.

> So the daemon is started by a service script?

Yes, 'service qemu-ga start'.
Comment 3 Daniel Berrangé 2012-07-16 13:29:37 UTC 
> Yes, 'service qemu-ga start'.

NB, with Fedora upstream, the qemu-ga daemon is actually started automatically whenever the correct virtio-serial socket is present in /dev, thanks to a magic udev rule.
Comment 4 Luiz Capitulino 2012-07-17 17:26:51 UTC 
So, the only AVC message that I can confirm is from qemu-ga is this one:

type=AVC msg=audit(1340825668.149:159): avc:  denied  { write } for  pid=2504 comm="ip" path="/var/run/qemu-ga.pid" dev=dm-0 ino=1025 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file

And I believe these come from its child process:

type=SYSTEM_RUNLEVEL msg=audit(1342543464.420:55): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='old-le
vel=3 new-level=0 exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success'
type=SYSTEM_SHUTDOWN msg=audit(1342543464.420:56): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='init exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success'

qemu-ga is not writing to its log file (it's writing only to syslog), this is a bug. That's probably why there are no AVC messages for the log file.
Comment 5 Miroslav Grepl 2012-07-18 09:25:27 UTC 
Is this also in Fedora? It looks we will need to add a policy

virt_qemu_qa_t for this.
Comment 6 Luiz Capitulino 2012-07-18 13:07:05 UTC 
It's not (at least not in F17), but we should add it.
Comment 7 Daniel Walsh 2012-07-19 14:31:41 UTC 
ifconfig writing to the pid file looks like a leaked file descriptor or a redirection of stdout/stderror.  I see no reason why ifconfig should be writing to /var/run/qemu-ga-pid.
Comment 9 Luiz Capitulino 2012-07-23 14:22:46 UTC 
(In reply to comment #7)
> ifconfig writing to the pid file looks like a leaked file descriptor or a
> redirection of stdout/stderror.  I see no reason why ifconfig should be
> writing to /var/run/qemu-ga-pid.

Oh, good catch. We indeed had a bug that leaked fds, but it should be fixed. I'll check it.
Comment 12 Miroslav Grepl 2012-10-09 09:07:42 UTC 
Created attachment 624001 [details]
initial policy

I need help with this one.

Could you test the attached policy

1. Download it
2. # semodule -i virt_qemu_ga.pp
3. # restorecon -Rv /usr/bin/qemu-ga

test it and add outputs of

# ausearch -m avc -ts recent
Comment 13 Luiz Capitulino 2012-10-09 19:31:56 UTC 
What tests do you need? I followed your procedure and was able to read /etc/passwd, got this with ausearch:

----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.884:63): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7fffe25488d0 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.884:63): avc:  denied  { lock } for  pid=1259 comm="qemu-ga" path="/var/run/qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.884:62): arch=c000003e syscall=2 success=yes exit=3 a0=7f9452d5b147 a1=41 a2=180 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.884:62): avc:  denied  { write open } for  pid=1259 comm="qemu-ga" name="qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1349810574.884:62): avc:  denied  { create } for  pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1349810574.884:62): avc:  denied  { add_name } for  pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1349810574.884:62): avc:  denied  { write } for  pid=1259 comm="qemu-ga" name="run" dev=dm-0 ino=259883 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.886:64): arch=c000003e syscall=2 success=yes exit=5 a0=7fffe254af3e a1=82802 a2=0 a3=28 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.886:64): avc:  denied  { open } for  pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
type=AVC msg=audit(1349810574.886:64): avc:  denied  { read write } for  pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.886:65): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fffe25487f0 a2=7fffe25487f0 a3=7fffe2548570 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.886:65): avc:  denied  { getattr } for  pid=1259 comm="qemu-ga" path="/dev/vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
Comment 14 Miroslav Grepl 2012-10-10 08:14:38 UTC 
Great. This is what I wanted to see.
Comment 15 Miroslav Grepl 2012-10-10 08:45:03 UTC 
Fixed in selinux-policy-3.7.19-168.el6
Comment 16 Miroslav Grepl 2012-10-10 11:51:49 UTC 
But this policy really needs to be tested more.
Comment 24 Amos Kong 2012-11-27 15:57:13 UTC 
Change status to ASSIGNED according to https://bugzilla.redhat.com/show_bug.cgi?id=875666#c7
Comment 25 Miroslav Grepl 2013-01-03 15:28:46 UTC 
Fixes added to selinux-policy-3.7.19-190.el6
Comment 27 Miroslav Grepl 2013-01-16 11:30:36 UTC 
*** Bug 888152 has been marked as a duplicate of this bug. ***
Comment 28 Miroslav Grepl 2013-01-16 13:30:50 UTC 
Fixed in selinux-policy-3.7.19-193.el6
Comment 31 errata-xmlrpc 2013-02-21 08:25:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html