RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1260835 - cimserver is blocked by SELinux
Summary: cimserver is blocked by SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1152104
TreeView+ depends on / blocked
 
Reported: 2015-09-08 02:24 UTC by Shanzhi Yu
Modified: 2016-11-04 02:22 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-81.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:22:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Shanzhi Yu 2015-09-08 02:24:52 UTC 
Description of problem:

cimserver are blocked by selinux

Version-Release number of selected component (if applicable):

# uname -r && rpm -q selinux-policy libvirt-cim tog-pegasus sblim-sfcb 
3.10.0-308.el7.x86_64
selinux-policy-3.13.1-45.el7.noarch
libvirt-cim-0.6.3-19.el7.x86_64
tog-pegasus-2.14.1-2.el7.x86_64
sblim-sfcb-1.3.16-12.el7_0.x86_64

How reproducible:
100%

Steps to Reproduce:

1. test tog-pegasus with selinux enable

1.1 enable selinux
# getenforce 
Enforcing
1.2 run test 
# CIM_NS=root/virt CIM_USER=root CIM_PASS=redhat ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: FAIL
ERROR 	- Got CIM error CIM_ERR_FAILED: SystemSettings Error with return code 1
ERROR 	- Failed to define a domain with the name domU1 from virsh
InvokeMethod(DefineSystem): CIM_ERR_FAILED: SystemSettings Error
--------------------------------------------------------------------

1.3 audit log

#  cat /var/log/audit/audit.log | grep cimprovagt
type=AVC msg=audit(1440758836.949:19700): avc:  denied  { getattr } for  pid=30710 comm="cimprovagt" path="/usr/libexec/qemu-kvm" dev="sda1" ino=4073774 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:qemu_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1440758836.949:19700): arch=c000003e syscall=4 success=no exit=-13 a0=7ff9e4124b10 a1=7ffa26a90080 a2=7ffa26a90080 a3=7ffa47d5a1e8 items=0 ppid=1 pid=30710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_t:s0 key=(null)

2. test tog-pegasus with selinux disable

2.1 disable selinux
# getenforce 
Permissive

2.2 run test 
# CIM_NS=root/virt CIM_USER=root CIM_PASS=redhat ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: PASS
--------------------------------------------------------------------

3. test sblim-sfcb with selinux enable

3.1 enable selinux
# getenforce 
Enforcing

3.2 run test 
# CIM_NS=root/virt CIM_USER=root CIM_PASS=redhat ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: FAIL
ERROR 	- Got CIM error SystemSettings Error with return code 1
ERROR 	- Failed to define a domain with the name domU1 from virsh
InvokeMethod(DefineSystem): SystemSettings Error
--------------------------------------------------------------------

3.3 audit log
#  grep avc /var/log/audit/audit.log
type=USER_AVC msg=audit(1440759396.592:19896): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1440759396.740:19901): avc:  denied  { getattr } for  pid=17137 comm="sfcbd" path="/usr/libexec/qemu-kvm" dev="sda1" ino=4073774 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:qemu_exec_t:s0 tclass=file


4. test sblim-sfcb with selinux disable 

4.1 disable selinux
# getenforce 
Permissive

4.2 run test 

# CIM_NS=root/virt CIM_USER=root CIM_PASS=redhat ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: PASS
--------------------------------------------------------------------

Actual results:


Expected results:


Additional info:
Comment 2 Milos Malik 2015-09-08 07:49:20 UTC 
# yum -y -q install selinux-policy-devel
# cat bz1260835.te 
module bz1260835 1.0;

require {
  type pegasus_t;
  type qemu_exec_t;
  class file getattr;
}

allow pegasus_t qemu_exec_t:file getattr;
# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1260835 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1260835.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1260835.mod
Creating targeted bz1260835.pp policy package
rm tmp/bz1260835.mod.fc tmp/bz1260835.mod
# semodule -i bz1260835.pp
#

Does it work in enforcing mode now? Are there any other AVCs?
Comment 3 Shanzhi Yu 2015-09-08 09:33:10 UTC 
Hi Milos,

Seem it work for me.

# getenforce 
Enforcing


# CIM_NS=root/virt CIM_USER=root CIM_PASS=redhat ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: PASS
--------------------------------------------------------------------
Comment 7 Miroslav Grepl 2015-12-18 10:46:53 UTC 
Could we get AVC from permissive mode?

Thank you.
Comment 16 errata-xmlrpc 2016-11-04 02:22:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.