Bug 839831
Summary: | deny qemu guest agent read/write operations by default | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Luiz Capitulino <lcapitulino> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.4 | CC: | akong, areis, berrange, dwalsh, mmalik, qzhang, rhod | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-193.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 875666 (view as bug list) | Environment: | |||||
Last Closed: | 2013-02-21 08:25:27 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 831387, 839832, 875666, 1034082 | ||||||
Attachments: |
|
Description
Luiz Capitulino
2012-07-13 00:50:13 UTC
Thanks for your description. Also I would like to see some AVC msgs? So the daemon is started by a service script? (In reply to comment #1) > Thanks for your description. Also I would like to see some AVC msgs? I'll post them shortly. > So the daemon is started by a service script? Yes, 'service qemu-ga start'. > Yes, 'service qemu-ga start'.
NB, with Fedora upstream, the qemu-ga daemon is actually started automatically whenever the correct virtio-serial socket is present in /dev, thanks to a magic udev rule.
So, the only AVC message that I can confirm is from qemu-ga is this one: type=AVC msg=audit(1340825668.149:159): avc: denied { write } for pid=2504 comm="ip" path="/var/run/qemu-ga.pid" dev=dm-0 ino=1025 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file And I believe these come from its child process: type=SYSTEM_RUNLEVEL msg=audit(1342543464.420:55): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='old-le vel=3 new-level=0 exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success' type=SYSTEM_SHUTDOWN msg=audit(1342543464.420:56): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='init exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success' qemu-ga is not writing to its log file (it's writing only to syslog), this is a bug. That's probably why there are no AVC messages for the log file. Is this also in Fedora? It looks we will need to add a policy virt_qemu_qa_t for this. It's not (at least not in F17), but we should add it. ifconfig writing to the pid file looks like a leaked file descriptor or a redirection of stdout/stderror. I see no reason why ifconfig should be writing to /var/run/qemu-ga-pid. (In reply to comment #7) > ifconfig writing to the pid file looks like a leaked file descriptor or a > redirection of stdout/stderror. I see no reason why ifconfig should be > writing to /var/run/qemu-ga-pid. Oh, good catch. We indeed had a bug that leaked fds, but it should be fixed. I'll check it. Created attachment 624001 [details]
initial policy
I need help with this one.
Could you test the attached policy
1. Download it
2. # semodule -i virt_qemu_ga.pp
3. # restorecon -Rv /usr/bin/qemu-ga
test it and add outputs of
# ausearch -m avc -ts recent
What tests do you need? I followed your procedure and was able to read /etc/passwd, got this with ausearch: ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.884:63): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7fffe25488d0 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.884:63): avc: denied { lock } for pid=1259 comm="qemu-ga" path="/var/run/qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.884:62): arch=c000003e syscall=2 success=yes exit=3 a0=7f9452d5b147 a1=41 a2=180 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.884:62): avc: denied { write open } for pid=1259 comm="qemu-ga" name="qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1349810574.884:62): avc: denied { create } for pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1349810574.884:62): avc: denied { add_name } for pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=AVC msg=audit(1349810574.884:62): avc: denied { write } for pid=1259 comm="qemu-ga" name="run" dev=dm-0 ino=259883 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.886:64): arch=c000003e syscall=2 success=yes exit=5 a0=7fffe254af3e a1=82802 a2=0 a3=28 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.886:64): avc: denied { open } for pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file type=AVC msg=audit(1349810574.886:64): avc: denied { read write } for pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.886:65): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fffe25487f0 a2=7fffe25487f0 a3=7fffe2548570 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.886:65): avc: denied { getattr } for pid=1259 comm="qemu-ga" path="/dev/vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file Great. This is what I wanted to see. Fixed in selinux-policy-3.7.19-168.el6 But this policy really needs to be tested more. Change status to ASSIGNED according to https://bugzilla.redhat.com/show_bug.cgi?id=875666#c7 Fixes added to selinux-policy-3.7.19-190.el6 *** Bug 888152 has been marked as a duplicate of this bug. *** Fixed in selinux-policy-3.7.19-193.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |