Bug 1274958 - SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup.
SELinux is preventing spice-vdagentd from getattr access on the filesystem /s...
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: systemd (Show other bugs)
rawhide
x86_64 Linux
high Severity high
: ---
: ---
Assigned To: systemd-maint
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-24 00:42 EDT by poma
Modified: 2016-01-16 04:12 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-16 04:12:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description poma 2015-10-24 00:42:47 EDT
Description of problem:
SE breaks spice-vdagent overall functionality.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-155.fc24.noarch

How reproducible:
101%

Steps to Reproduce:
1. Run Fedora-Live-Xfce-x86_64-rawhide-20151022.iso within libvirt domain.

Actual results:
spice-vdagent doesn't work.

Expected results:
spice-vdagent works.

Additional info:

# sealert -a /var/log/audit/audit.log 
100% done
found 4 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-155.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.3.0-0.rc6.git1.1.fc24.x86_64 #1
                              SMP Tue Oct 20 15:25:10 UTC 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-10-24 00:14:21 EDT
Last Seen                     2015-10-24 00:15:05 EDT
Local ID                      d837d7be-1b97-44ea-bb49-cdbfb9974702

Raw Audit Messages
type=AVC msg=audit(1445660105.724:741): avc:  denied  { getattr } for  pid=1202 comm="spice-vdagentd" name="/" dev="tmpfs" ino=1181 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr

--------------------------------------------------------------------------------

# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

# cat mypol.te 

module mypol 1.0;

require {
	type tmpfs_t;
	type vdagent_t;
	class filesystem getattr;
}

#============= vdagent_t ==============
allow vdagent_t tmpfs_t:filesystem getattr;
Comment 1 Miroslav Grepl 2015-11-11 03:20:39 EST
Could you please add your output of 

ls -lZ /sys/fs/cgroup/
Comment 2 poma 2015-11-13 12:41:30 EST
# systemctl status spice-vdagentd.service
● spice-vdagentd.service - Agent daemon for Spice guests
   Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2015-11-13 12:20:09 EST; 13min ago
  Process: 989 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/SUCCESS)
  Process: 984 ExecStartPre=/bin/rm -f /var/run/spice-vdagentd/spice-vdagent-sock (code=exited, status=0/SUCCESS)
 Main PID: 998 (spice-vdagentd)
   CGroup: /system.slice/spice-vdagentd.service
           └─998 /usr/sbin/spice-vdagentd

Nov 13 12:20:08 localhost systemd[1]: Starting Agent daemon for Spice guests...
Nov 13 12:20:09 localhost systemd[1]: Started Agent daemon for Spice guests.
Nov 13 12:20:17 localhost spice-vdagentd[998]: Error getting session for pid 1831: Permission denied


# ps uq 1831
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
liveuser  1831  0.0  0.1  38948  2056 ?        Ss   12:20   0:00 /usr/bin/spice-vdagent


# grep -i spice /var/log/audit/audit.log 
type=SERVICE_START msg=audit(1447435209.085:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=spice-vdagentd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1447435217.843:504): avc:  denied  { getattr } for  pid=998 comm="spice-vdagentd" name="/" dev="tmpfs" ino=10199 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


# ll -Z /sys/fs/cgroup/
total 0
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 blkio
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  11 Nov 13 12:19 cpu -> cpu,cpuacct
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  11 Nov 13 12:19 cpuacct -> cpu,cpuacct
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 cpu,cpuacct
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 cpuset
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 devices
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 freezer
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 hugetlb
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 memory
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  16 Nov 13 12:19 net_cls -> net_cls,net_prio
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 net_cls,net_prio
lrwxrwxrwx. 1 root root system_u:object_r:tmpfs_t:s0  16 Nov 13 12:19 net_prio -> net_cls,net_prio
dr-xr-xr-x. 2 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 perf_event
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:31 pids
dr-xr-xr-x. 5 root root system_u:object_r:cgroup_t:s0  0 Nov 13 12:29 systemd


# rpm -q selinux-policy-targeted 
selinux-policy-targeted-3.13.1-157.fc24.noarch


Tested with:
Fedora-Live-Xfce-x86_64-rawhide-20151110.iso
Comment 3 Miroslav Grepl 2015-11-20 07:43:34 EST
Thank you. The problem is with /sys/fs/cgroup/ labeling.
Comment 4 poma 2015-12-08 12:45:37 EST
Pan Vrabec, here's another one bothering us for a long time, if you can fix it also.

# sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing spice-vdagentd from getattr access on the filesystem /sys/fs/cgroup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that spice-vdagentd should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep spice-vdagentd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:vdagent_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /sys/fs/cgroup [ filesystem ]
Source                        spice-vdagentd
Source Path                   spice-vdagentd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-162.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.4.0-0.rc3.git4.1.fc24.x86_64 #1
                              SMP Fri Dec 4 16:10:15 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-08 12:27:53 EST
Last Seen                     2015-12-08 12:27:53 EST
Local ID                      3e331eed-9799-4e5d-9de9-889d4bc53368

Raw Audit Messages
type=AVC msg=audit(1449595673.876:163): avc:  denied  { getattr } for  pid=1057 comm="spice-vdagentd" name="/" dev="tmpfs" ino=195 scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0


Hash: spice-vdagentd,vdagent_t,tmpfs_t,filesystem,getattr
Comment 5 Miroslav Grepl 2015-12-23 08:23:12 EST
Moving to systemd. They need to also fix labeling for /sys/fs/cgroup mount point.
Comment 6 poma 2016-01-16 04:12:18 EST
Since there is no response from the both, upstream and downstream.

Note You need to log in before you can comment on or make changes to this bug.