Bug 839832

Summary: qemu-ga: document selinux policy for read/write of guest files
Product: Red Hat Enterprise Linux 6 Reporter: Luiz Capitulino <lcapitulino>
Component: qemu-kvmAssignee: Amos Kong <akong>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: acathrow, ailan, akong, areis, bsarathy, dkelson, dyasny, juzhang, michen, mkenneth, mrezanin, qzhang, shuang, sluo, tlavigne, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.351.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1034082 (view as bug list) Environment:
Last Closed: 2013-02-21 07:38:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 839831    
Bug Blocks: 1034082    

Description Luiz Capitulino 2012-07-13 00:55:21 UTC 
We're going to introduce a SELinux policy on RHEL6.4 to deny qemu-ga to read/write arbitrary guest files, this has to be documented in qemu-ga's future manpage and/or configuration files.
Comment 2 Amos Kong 2012-10-18 01:16:34 UTC 
Talked with Luiz, assign this to me.
Comment 5 Amos Kong 2012-11-30 06:58:45 UTC 
In https://bugzilla.redhat.com/show_bug.cgi?id=839831#c0

Luiz requested to add a "qemu_guest_agent_read_any" boolean for the SELinux policy to allow arbitrary read by the daemon. But I did you find this in latest selinux-policy, so I will not mention it in the doc.
Comment 10 Qunfang Zhang 2013-01-18 03:49:57 UTC 
This bug can be verified pass now. In the qemu-guest-agent-0.12.1.2-2.351 there's selinux policy note in the /etc/sysconfig/qemu-ga document while in the older version of qemu-guest-agent there's not.

In qemu-guest-agent-0.12.1.2-2.350.el6:

# cat  /etc/sysconfig/qemu-ga
# Transport method may be one of following:
#   * unix-listen
#   * virtio-serial
#   * isa-serial
# Default: virtio-serial
TRANSPORT_METHOD="virtio-serial"

# You also can override the device/socket path
# Default: /dev/virtio-ports/org.qemu.guest_agent.0
DEVPATH="/dev/virtio-ports/org.qemu.guest_agent.0"

# If logfile is unset it defaults to stderr but the daemon
# function of init script redirects stderr to /dev/null
LOGFILE="/var/log/qemu-ga.log"

# Override pidfile name
# Default: /var/run/qemu-ga.pid
PIDFILE="/var/run/qemu-ga.pid"

# Comma-separated blacklist of RPCs to disable or empty list to enable all
# Tip: You can get the list of RPC commands using `qemu-ga --blacklist ?`
# Default: blank list to enable all RPCs
# Note: There should be no spaces between commas and commands in the blacklist
BLACKLIST_RPC="guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush"


=======================
In fixed version qemu-guest-agent-0.12.1.2-2.351.el6:
# cat /etc/sysconfig/qemu-ga 
# Transport method may be one of following:
#   * unix-listen
#   * virtio-serial
#   * isa-serial
# Default: virtio-serial
TRANSPORT_METHOD="virtio-serial"
#TRANSPORT_METHOD="isa-serial"

# You also can override the device/socket path
# Default: /dev/virtio-ports/org.qemu.guest_agent.0
DEVPATH="/dev/virtio-ports/org.qemu.guest_agent.0"
#DEVPATH="/dev/ttyS1"

# If logfile is unset it defaults to stderr but the daemon
# function of init script redirects stderr to /dev/null
LOGFILE="/var/log/qemu-ga.log"

# Override pidfile name
# Default: /var/run/qemu-ga.pid
PIDFILE="/var/run/qemu-ga.pid"

# SELinux note:
#  About guest arbitrary file read/write
#
# A new selinux policy is introduced on RHEL-6.4 to deny qemu-ga to
# read/write arbitrary guest files except the device file used to talk
# with host processes, LOGFILE and PIDFILE.
#
# You can disable this policy by "restorecon -R -v /usr/bin/qemu-ga"

# Comma-separated blacklist of RPCs to disable or empty list to enable all
# Tip: You can get the list of RPC commands using `qemu-ga --blacklist ?`
# Default: blank list to enable all RPCs
# Note: There should be no spaces between commas and commands in the blacklist
BLACKLIST_RPC="guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush"
Comment 15 errata-xmlrpc 2013-02-21 07:38:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0527.html
Comment 16 Dax Kelson 2013-03-20 22:14:56 UTC 
I don't understand how running a verbose, recursive restorecon on the qemu-ga binary will modify any policy?!?!
Comment 17 Amos Kong 2013-03-21 01:48:14 UTC 
(In reply to comment #16)
> I don't understand how running a verbose, recursive restorecon on the
> qemu-ga binary will modify any policy?!?!

Please open a new bug and describe your problem detail, thanks.