Bug 1034082 - qemu-ga: document selinux policy for read/write of guest files
Summary: qemu-ga: document selinux policy for read/write of guest files
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Amos Kong
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 839831 839832
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-25 08:54 UTC by Shaolong Hu
Modified: 2015-05-25 00:07 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 839832
Environment:
Last Closed: 2014-03-17 10:07:14 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Comment 4 Amos Kong 2013-12-02 09:54:54 UTC 
Hi Qunfang,

You did a good job in [1] to test all selinux policies work.
Can you test rhel7? or guide someone to test it?

Thanks, Amos

[1] https://bugzilla.redhat.com/show_bug.cgi?id=839832#c10
Comment 6 Amos Kong 2014-02-26 09:09:54 UTC 
I had tested by myself, clear the needinfo flag.
Comment 7 Amos Kong 2014-02-26 09:28:43 UTC 
Hi Miroslav,

We add some selinux policy to effect read/write permission of
/usr/bin/qemu-ga in guest.

How can we enable/disable this single policy (only effect
qemu-ga)?

enable/disable selinux by changing /etc/sysconfig/selinux will
effect all the policies.

Thanks, Amos
Comment 8 Miroslav Grepl 2014-02-27 09:56:28 UTC 
(In reply to Amos Kong from comment #7)
> Hi Miroslav,
> 
> We add some selinux policy to effect read/write permission of
> /usr/bin/qemu-ga in guest.
> 

Which one?

> How can we enable/disable this single policy (only effect
> qemu-ga)?

You can add a local policy module with rules.

> enable/disable selinux by changing /etc/sysconfig/selinux will
> effect all the policies.
> 
> Thanks, Amos
Comment 9 Miroslav Grepl 2014-02-27 10:00:14 UTC 
You can do something like

semodule -n -i qemuga_local.pp
if /usr/sbin/selinuxenabled ; then
 /usr/sbin/load_policy
fi;
Comment 11 Amos Kong 2014-03-03 05:30:26 UTC 
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga
-rwxr-xr-x. root root system_u:object_r:virt_qemu_ga_exec_t:s0 /usr/bin/qemu-ga

* Disable qemu-ga policies by changing qemu-ga security context to default 'bin_t'
[root@localhost ~]# chcon -t bin_t /usr/bin/qemu-ga
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/qemu-ga

* Restart qemu-ga service
[root@localhost ~]# service qemu-guest-agent restart

* Restore security context to virt_qemu_ga_exec_t, the policies will effect.
[root@localhost ~]# restorecon /usr/bin/qemu-ga
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga
-rwxr-xr-x. root root system_u:object_r:virt_qemu_ga_exec_t:s0 /usr/bin/qemu-ga

Actually we need to enable the qemu-ga policies all the time, it both
enabled some useful(for security) AVC msg and suppressed some useless
(for legal behavior) AVC msg.
Comment 12 Miroslav Grepl 2014-03-03 09:40:42 UTC 
I would suggest to make virt_qemu_ga_t policy as permissive if there is a problem.

# semanage permissive -a virt_qemu_ga_t

will cause nothing is going to be blocked for this type and AVC msgs are generated.
Comment 13 Amos Kong 2014-03-17 10:07:14 UTC 
As we talked in maillist, I opened a new selinux bug [1] to add a new boolean to enable/disable the policies of qemu-ga, and we add document by release-note.
So close this qemu-kvm doc bug.


[1] Bug 1071981 - introduce a SELinux boolean to enable/disable guest file access from qemu-ga
Note You need to log in before you can comment on or make changes to this bug.