Bug 882115

Summary: selinux-policy uses hardcode (pid/log) filename of qemu-ga
Product: Red Hat Enterprise Linux 6 Reporter: Amos Kong <akong>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.4CC: ailan, dwalsh, lcapitulino, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-30 07:25:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amos Kong 2012-11-30 07:12:31 UTC 
Description of problem:

The pid/log filename of qemu-ga can be configured by /etc/sysconfig/qemu-ga.
But the new qemu-ga policy uses hardcode filenames, thing will be wrong if user changes the default pid/log filename.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-183.el6.noarch
Comment 1 Miroslav Grepl 2012-11-30 07:25:42 UTC 
We have

filetrans_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t,{ dir file } )
logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )

which means if a user change it and it will be in the /var/run or /var/log then it will be created with the correct labeling.

We are not able to cover all scenarios. If a user change it to a different path then a local policy will be needed.