RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1061936 - qemu-guest-agent lacks SELinux permission to execute settimeofday
Summary: qemu-guest-agent lacks SELinux permission to execute settimeofday
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks: 1049040 1062386
TreeView+ depends on / blocked
 
Reported: 2014-02-05 22:04 UTC by Marcelo Tosatti
Modified: 2014-10-20 09:07 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.12.1-125.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1062384 1062386 (view as bug list)
Environment:
Last Closed: 2014-06-13 13:27:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Marcelo Tosatti 2014-02-05 22:04:13 UTC 
Description of problem:

Qemu guest agent should be able to execute settimeofday.

How reproducible:

Always

Steps to Reproduce:
1. virsh qemu-agent-command DOMAIN '{ "execute": "guest-set-time", "arguments":{"time":1}} 

Actual results:

SELinux is preventing /usr/bin/qemu-ga from using the sys_time capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-ga should have the sys_time capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-ga /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:system_r:virt_qemu_ga_t:s0
Target Objects                 [ capability ]
Source                        qemu-ga
Source Path                   /usr/bin/qemu-ga
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           qemu-guest-agent-1.6.1-3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain


Expected results:

qemu-guest-agent should be allowed to execute settimeofday().
Comment 1 Marcelo Tosatti 2014-02-05 22:20:57 UTC 
SELinux is preventing /usr/sbin/hwclock from create access on the netlink_audit_socket .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hwclock should be allowed create access on the  netlink_audit_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hwclock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:system_r:virt_qemu_ga_t:s0
Target Objects                 [ netlink_audit_socket ]
Source                        hwclock
Source Path                   /usr/sbin/hwclock
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           util-linux-2.24-2.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    1969-12-31 21:00:00 BRT
Last Seen                     1969-12-31 21:00:00 BRT
Local ID                      a805fc8f-5d66-47d7-ba40-ec1ad50db5d6

Raw Audit Messages
type=AVC msg=audit(0.2:574): avc:  denied  { create } for  pid=3295 comm="hwclock" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=netlink_audit_socket


type=SYSCALL msg=audit(0.2:574): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=10 a1=3 a2=9 a3=2 items=0 ppid=530 pid=3295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=hwclock exe=/usr/sbin/hwclock subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: hwclock,virt_qemu_ga_t,virt_qemu_ga_t,netlink_audit_socket,create
Comment 2 Marcelo Tosatti 2014-02-05 22:22:04 UTC 
SELinux is preventing /usr/sbin/hwclock from read access on the chr_file rtc0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hwclock should be allowed read access on the rtc0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hwclock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:clock_device_t:s0
Target Objects                rtc0 [ chr_file ]
Source                        hwclock
Source Path                   /usr/sbin/hwclock
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           util-linux-2.24-2.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    1969-12-31 21:00:00 BRT
Last Seen                     1969-12-31 21:00:00 BRT
Local ID                      d8f0d0f2-426a-4f37-b739-a33aa1dbebd4

Raw Audit Messages
type=AVC msg=audit(0.3:575): avc:  denied  { read } for  pid=3295 comm="hwclock" name="rtc0" dev="devtmpfs" ino=1163 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file


type=AVC msg=audit(0.3:575): avc:  denied  { open } for  pid=3295 comm="hwclock" path="/dev/rtc0" dev="devtmpfs" ino=1163 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(0.3:575): arch=x86_64 syscall=open success=yes exit=EINTR a0=40623f a1=0 a2=3897db8280 a3=3897a85170 items=0 ppid=530 pid=3295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=hwclock exe=/usr/sbin/hwclock subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: hwclock,virt_qemu_ga_t,clock_device_t,chr_file,read
Comment 3 Marcelo Tosatti 2014-02-05 22:23:25 UTC 
SELinux is preventing /usr/sbin/hwclock from getattr access on the file /etc/adjtime.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hwclock should be allowed getattr access on the adjtime file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hwclock /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:adjtime_t:s0
Target Objects                /etc/adjtime [ file ]
Source                        hwclock
Source Path                   /usr/sbin/hwclock
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           util-linux-2.24-2.fc20.x86_64
Target RPM Packages           initscripts-9.50-1.fc20.x86_64
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    1969-12-31 21:00:00 BRT
Last Seen                     1969-12-31 21:00:00 BRT
Local ID                      d031d677-beda-4c9b-8283-1b31ac8a6e52

Raw Audit Messages
type=AVC msg=audit(0.3:576): avc:  denied  { getattr } for  pid=3295 comm="hwclock" path="/etc/adjtime" dev="dm-1" ino=186535 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:adjtime_t:s0 tclass=file


type=SYSCALL msg=audit(0.3:576): arch=x86_64 syscall=stat success=yes exit=0 a0=406248 a1=7fff0a400bf0 a2=7fff0a400bf0 a3=3897a85170 items=0 ppid=530 pid=3295 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=hwclock exe=/usr/sbin/hwclock subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: hwclock,virt_qemu_ga_t,adjtime_t,file,getattr
Comment 5 Laszlo Ersek 2014-02-07 13:50:45 UTC 
Moving it over to our friendly SELinux developers who have helped us several times before with such problems. Thanks! :)
Comment 6 Marcelo Tosatti 2014-02-07 20:00:27 UTC 
Patch for reference:

https://bugzilla.redhat.com/attachment.cgi?id=860298&action=diff
Comment 7 Miroslav Grepl 2014-02-10 08:17:26 UTC 
We have fixes in Fedora. Will back port them.
Comment 10 Sibiao Luo 2014-02-10 09:41:51 UTC 
Reproduce this issue with the same steps as comment #8.

host info:
# uname -r && rpm -q qemu-kvm
3.10.0-76.el7.x86_64
qemu-kvm-1.5.3-45.el7.x86_64
guest info:
3.10.0-76.el7.x86_64
qemu-guest-agent-1.5.3-45.el7.x86_64
selinux-policy-3.12.1-117.el7.noarch

Steps:
1.boot guest with virt-agent server.
e.:/usr/libexec/qemu-kvm...-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=org.qemu.guest_agent.0,bus=virtio-serial0.0,id=port1,nr=1

2.connect to the guest via guest-agent.
# nc -U /tmp/helloworld1

3.execute "guest-set-time" command to settimeofday.
{ "execute": "guest-set-time", "arguments":{"time":1}} 

Results:
after step 3, fail to execute the "guest-set-time" command when SELinux Enforcing.

#####SELinux Enforcing: 
guest]# setenforce 1
guest]# getenforce 
Enforcing
{ "execute": "guest-set-time", "arguments":{"time":1}}
{"error": {"class": "GenericError", "desc": "Failed to set time to guest: Operation not permitted"}}

guest]# grep qemu-ga /var/log/audit/audit.log
type=AVC msg=audit(1392053903.230:442): avc:  denied  { sys_time } for  pid=2688 comm="qemu-ga" capability=25  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability
type=SYSCALL msg=audit(1392053903.230:442): arch=c000003e syscall=164 success=no exit=-1 a0=7fff00d294b0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

#####SELinux Permissive: 
guest]# setenforce 0
guest]# getenforce
Permissive

{ "execute": "guest-set-time", "arguments":{"time":1}}
{"return": {}}

guest]# grep qemu-ga /var/log/audit/audit.log
type=AVC msg=audit(1392053903.230:442): avc:  denied  { sys_time } for  pid=2688 comm="qemu-ga" capability=25  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability
type=SYSCALL msg=audit(1392053903.230:442): arch=c000003e syscall=164 success=no exit=-1 a0=7fff00d294b0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1392053921.967:444): avc:  denied  { sys_time } for  pid=2688 comm="qemu-ga" capability=25  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability
type=SYSCALL msg=audit(1392053921.967:444): arch=c000003e syscall=164 success=yes exit=0 a0=7fff00d294b0 a1=0 a2=0 a3=0 items=0 ppid=1 pid=2688 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(0.000:445): avc:  denied  { execute } for  pid=2720 comm="qemu-ga" name="hwclock" dev="dm-1" ino=34931315 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:hwclock_exec_t:s0 tclass=file
type=AVC msg=audit(0.000:445): avc:  denied  { read open } for  pid=2720 comm="qemu-ga" path="/usr/sbin/hwclock" dev="dm-1" ino=34931315 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:hwclock_exec_t:s0 tclass=file
type=AVC msg=audit(0.000:445): avc:  denied  { execute_no_trans } for  pid=2720 comm="qemu-ga" path="/usr/sbin/hwclock" dev="dm-1" ino=34931315 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:hwclock_exec_t:s0 tclass=file

Base on above, mark qa_ack+ to it.

Best Regards,
sluo
Comment 11 Miroslav Grepl 2014-02-10 11:55:32 UTC 
commit c82f18e5e45019a53b671d25f6dc98a17857ee5e
Author: Miroslav Grepl <mgrepl>
Date:   Mon Feb 10 12:51:20 2014 +0100

    Add sys_time capability for qemu-ga
Comment 19 Sibiao Luo 2014-02-17 05:02:02 UTC 
Verified this issue with the smae steps as comment #10 on fixed selinux-policy-3.12.1-125.el7 in our manually side.

host info:
# uname -r && rpm -q qemu-kvm
3.10.0-86.el7.x86_64
qemu-kvm-1.5.3-47.el7.x86_64

guest info:
3.10.0-86.el7.x86_64
qemu-guest-agent-1.5.3-47.el7.x86_64
selinux-policy-3.12.1-125.el7.noarch
selinux-policy-targeted-3.12.1-125.el7.noarch

Steps:
the same to comment #10.

Results:
after step 3, execute the "guest-set-time" command when SELinux in Enforcing or Permissive mode successfully.

#####SELinux Enforcing mode: 
guest]# setenforce 1
guest]# getenforce 
Enforcing
{ "execute": "guest-set-time", "arguments":{"time":1}}
{"return": {}}

guest]# grep qemu-ga /var/log/audit/audit.log
                     <------nothing output

#####SELinux Permissive mode: 
guest]# setenforce 0
guest]# getenforce
Permissive

{ "execute": "guest-set-time", "arguments":{"time":1}}
{"return": {}}

guest]# grep qemu-ga /var/log/audit/audit.log
                     <------nothing output

Best Regards,
sluo
Comment 20 Sibiao Luo 2014-02-17 05:03:26 UTC 
According comment #10, comment #18 and comment #19, i think this issue has been fixed correctly, please correct me if any mistake and fell free to move it to VERIFIED status, thanks.
Comment 21 Ludek Smid 2014-06-13 13:27:04 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.