Bug 959639

Summary:	SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW.
Product:	[Fedora] Fedora	Reporter:	Dean Hunter <deanhunter>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	19	CC:	dominick.grift, dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.12.1-47.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-05-30 03:33:02 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dean Hunter 2013-05-04 13:56:04 UTC

Description of problem:

The QEMU guest agent fails to start on Fedora 19 Alpha due to SELinux alerts.


Version-Release number of selected component (if applicable):

Installed Packages
selinux-policy.noarch                       3.12.1-34.fc19               @fedora
selinux-policy-devel.noarch                 3.12.1-34.fc19               @fedora
selinux-policy-doc.noarch                   3.12.1-34.fc19               @fedora
selinux-policy-targeted.noarch              3.12.1-34.fc19               @fedora


How reproducible: Consistent


Steps to Reproduce:
1. Create new VM from Fedora 19 Alpha DVD
2. yum update --assumeyes
3. reboot
  
Actual results:

[root@fedora19 ~]# grep qemu-ga /var/log/messages
May  4 08:15:38 fedora19 qemu-ga[381]: 1367673335.419540: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.MRZHWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[381]: 1367673335.419605: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[381]: 1367673335.419609: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[443]: 1367673335.866733: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.4UROWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[443]: 1367673335.866815: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[443]: 1367673335.866819: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[447]: 1367673335.881133: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.WK3OWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[447]: 1367673335.881174: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[447]: 1367673335.881177: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[455]: 1367673335.940321: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.FW5SWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[455]: 1367673335.940362: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[455]: 1367673335.940365: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[457]: 1367673335.950846: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.YEETWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[457]: 1367673335.950894: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[457]: 1367673335.950897: critical: failed to load persistent state
May  4 08:15:44 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.MRZHWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.4UROWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.WK3OWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.FW5SWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7

[root@fedora19 ~]# sealert -l a028023e-4970-419f-ac33-c04e997b26f7
SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qemu-ga should be allowed create access on the qga.state.YEETWW file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-ga /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                qga.state.YEETWW [ file ]
Source                        qemu-ga
Source Path                   qemu-ga
Port                          <Unknown>
Host                          fedora19.hunter.org
Source RPM Packages           qemu-guest-agent-1.4.1-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-34.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora19.hunter.org
Platform                      Linux fedora19.hunter.org 3.9.0-301.fc19.x86_64 #1
                              SMP Mon Apr 29 13:44:05 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-05-04 08:15:35 CDT
Last Seen                     2013-05-04 08:15:35 CDT
Local ID                      a028023e-4970-419f-ac33-c04e997b26f7

Raw Audit Messages
type=AVC msg=audit(1367673335.949:40): avc:  denied  { create } for  pid=457 comm="qemu-ga" name="qga.state.YEETWW" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1367673335.949:40): arch=x86_64 syscall=open success=no exit=EACCES a0=7f57851d27b0 a1=c2 a2=1b6 a3=7fff7ff34920 items=0 ppid=1 pid=457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: qemu-ga,virt_qemu_ga_t,var_run_t,file,create

audit2allow

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t var_run_t:file create;

audit2allow -R
require {
	type var_run_t;
	type virt_qemu_ga_t;
	class file create;
}

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t var_run_t:file create;


[root@fedora19 ~]# 


Expected results:

no errors


Additional info:

Comment 1 Miroslav Grepl 2013-05-06 07:32:16 UTC

There was a bug in file transition rules.

commit 2fcfe26b060dab4f006bdfb67ee3771e3c315a51
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 6 09:31:22 2013 +0200

    Allow qemu-ga to create files in /run with proper labeling

Comment 2 Dean Hunter 2013-05-13 07:32:26 UTC

A problem persists in Fedora 19 Beta TC4:

[root@fedora19 ~]# ausearch --message AVC --start today
----
time->Mon May 13 02:19:27 2013
type=SYSCALL msg=audit(1368429567.622:20): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7f9c66c754f0 a2=380 a3=0 items=0 ppid=1 pid=497 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368429567.622:20): avc:  denied  { read } for  pid=497 comm="polkitd" name="machine" dev="cgroup" ino=1327 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----
time->Mon May 13 02:20:40 2013
type=SYSCALL msg=audit(1368429640.032:37): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7faa6648b5d0 a2=380 a3=7faa6648c450 items=0 ppid=1 pid=489 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368429640.032:37): avc:  denied  { read } for  pid=489 comm="polkitd" name="machine" dev="cgroup" ino=1329 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----
time->Mon May 13 02:22:09 2013
type=SYSCALL msg=audit(1368429729.201:427): arch=c000003e syscall=59 success=no exit=-13 a0=7f603213bb9f a1=7fff592bf840 a2=7fff592c3098 a3=7f60320f5a10 items=0 ppid=387 pid=1240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368429729.201:427): avc:  denied  { execute } for  pid=1240 comm="qemu-ga" name="systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

[root@fedora19 ~]#

Comment 3 Miroslav Grepl 2013-05-13 08:25:10 UTC

These are different. policykit_t issue has been fixed.

Comment 4 Miroslav Grepl 2013-05-13 08:26:54 UTC

Could you please run

# semanage permissive -a virt_qemu_ga_t

re-test it and

# ausearch -m avc -ts recent

Comment 5 Daniel Walsh 2013-05-13 12:57:07 UTC

polkitd_t avc's are allowed in selinux-policy-3.12.1-43.fc19

Any idea what qemu-ga is doing executing systemctl?

Comment 6 Dean Hunter 2013-05-13 14:27:36 UTC

[root@fedora19 ~]# yum list installed selinux-policy*
Loaded plugins: langpacks, refresh-packagekit
Installed Packages
selinux-policy.noarch                      3.12.1-42.fc19              @anaconda
selinux-policy-devel.noarch                3.12.1-42.fc19              @anaconda
selinux-policy-doc.noarch                  3.12.1-42.fc19              @anaconda
selinux-policy-targeted.noarch             3.12.1-42.fc19              @anaconda

[root@fedora19 ~]# ausearch --message AVC --start recent
----
time->Mon May 13 09:22:07 2013
type=SYSCALL msg=audit(1368454927.964:35): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7fd8b0e32200 a2=380 a3=0 items=0 ppid=1 pid=493 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368454927.964:35): avc:  denied  { read } for  pid=493 comm="polkitd" name="machine" dev="cgroup" ino=1345 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----
time->Mon May 13 09:22:36 2013
type=SYSCALL msg=audit(1368454956.503:423): arch=c000003e syscall=4 success=yes exit=0 a0=7faa06a8c8e8 a1=7fffc9ee63c0 a2=7fffc9ee63c0 a3=0 items=0 ppid=387 pid=1230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="shutdown" exe="/usr/bin/systemctl" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368454956.503:423): avc:  denied  { read } for  pid=1230 comm="shutdown" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1368454956.503:423): avc:  denied  { read } for  pid=1230 comm="shutdown" name="root" dev="proc" ino=1156 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
----
time->Mon May 13 09:22:36 2013
type=SYSCALL msg=audit(1368454956.497:422): arch=c000003e syscall=59 success=yes exit=0 a0=7f08e00f6b9f a1=7fffbab0d160 a2=7fffbab109b8 a3=7f08e00b0a10 items=0 ppid=387 pid=1230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="shutdown" exe="/usr/bin/systemctl" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368454956.497:422): avc:  denied  { execute_no_trans } for  pid=1230 comm="qemu-ga" path="/usr/bin/systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=AVC msg=audit(1368454956.497:422): avc:  denied  { read open } for  pid=1230 comm="qemu-ga" path="/usr/bin/systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=AVC msg=audit(1368454956.497:422): avc:  denied  { execute } for  pid=1230 comm="qemu-ga" name="systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----
time->Mon May 13 09:22:36 2013
type=SYSCALL msg=audit(1368454956.504:424): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fffc9ee61b0 a2=16 a3=7fffc9ee5f60 items=0 ppid=387 pid=1230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="shutdown" exe="/usr/bin/systemctl" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368454956.504:424): avc:  denied  { connectto } for  pid=1230 comm="shutdown" path="/run/systemd/private" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
----
time->Mon May 13 09:23:07 2013
type=SYSCALL msg=audit(1368454987.502:19): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7f2d155024f0 a2=380 a3=0 items=0 ppid=1 pid=499 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368454987.502:19): avc:  denied  { read } for  pid=499 comm="polkitd" name="machine" dev="cgroup" ino=6660 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

[root@fedora19 ~]#

Comment 7 Dean Hunter 2013-05-14 16:56:51 UTC

qemu-guest-agent still has problems with Fedora 19 Beta TC4:

[root@ipa ~]# yum list installed selinux-policy*
Loaded plugins: langpacks, refresh-packagekit
Installed Packages
selinux-policy.noarch                   3.12.1-44.fc19          @updates-testing
selinux-policy-devel.noarch             3.12.1-44.fc19          @updates-testing
selinux-policy-doc.noarch               3.12.1-44.fc19          @updates-testing
selinux-policy-targeted.noarch          3.12.1-44.fc19          @updates-testing

[root@ipa ~]# ausearch --message avc --start today
----
time->Tue May 14 11:34:32 2013
type=AVC msg=audit(1368549272.764:5): avc:  denied  { getattr } for  pid=387 comm="qemu-ga" name="/" dev="tmpfs" ino=1147 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Tue May 14 11:51:18 2013
type=SYSCALL msg=audit(1368550278.154:449): arch=c000003e syscall=59 success=no exit=-13 a0=7ff0c1baeb9f a1=7fffc2019e60 a2=7fffc201d6b8 a3=7ff0c1b68a10 items=0 ppid=387 pid=1638 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368550278.154:449): avc:  denied  { execute } for  pid=1638 comm="qemu-ga" name="systemctl" dev="dm-1" ino=140673 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

[root@ipa ~]# 

The first alert is from about the time the virtual machine was built and restarted. The second alert is from when I tried to shut down the virtual machine.

Comment 8 Miroslav Grepl 2013-05-15 10:46:56 UTC

Ok, going to add fixes.

Comment 9 Dean Hunter 2013-05-23 14:18:20 UTC

Have you identified a version of selinix-policy when this will be fixed?

Comment 10 Dean Hunter 2013-05-23 15:40:12 UTC

The problem persists in Fedora 19 Beta RC3.

Comment 11 Miroslav Grepl 2013-05-24 06:06:32 UTC

Has been fixed in -45.fc19.

http://koji.fedoraproject.org/koji/buildinfo?buildID=419810

Comment 12 Fedora Update System 2013-05-29 14:19:00 UTC

selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19

Comment 13 Fedora Update System 2013-05-29 17:45:49 UTC

Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2013-05-30 03:33:02 UTC

selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.