Hide Forgot
Description of problem: qga command "guest-set-user-password" can't get exepected result. Instead, it gives a error msg: "child process has failed to set user password" Version-Release number of selected component (if applicable): Host&guest kernel: 3.10.0-493.el7.ppc64le qemu-kvm-rhev-2.6.0-22.el7 How reproducible: 3/3 Steps to Reproduce: 1.Boot up guest with qemu-guest-agent params. /usr/libexec/qemu-kvm \ ... -device virtio-serial-pci,id=virtio_serial_pci0,bus=pci.0,addr=03,disable-legacy=off,disable-modern=on \ -chardev socket,path=/tmp/virtio_port-org.qemu.guest_agent.0-20160824-013223-NfyNFKcA,nowait,id=idNMrD6X,server \ -device virtserialport,bus=virtio_serial_pci0.0,name=org.qemu.guest_agent.0,chardev=idNMrD6X,id=id2ILF12 \ ... 2.After guest boot up. connect guest with nc tool, and send guest-set-user-password cmd [root@ibm-p8-rhevm-13 ~]# nc -U /tmp/virtio_port-org.qemu.guest_agent.0-20160824-013223-NfyNFKcA {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}} 3.Check the result of the command Actual results: Can't change the password of guest. {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}} {"error": {"class": "GenericError", "desc": "child process has failed to set user password"}} Expected results: The command can return "{}" , and the password can be changed. Additional info: stop the qemu-guest-agent.service , and run the qemu-ga application manually, It works well. Guest boot cmd: /usr/libexec/qemu-kvm \ -name 'avocado-vt-vm1' \ -sandbox off \ -machine pseries \ -nodefaults \ -vga std \ -device virtio-serial-pci,id=virtio_serial_pci0,bus=pci.0,addr=03,disable-legacy=off,disable-modern=on \ -chardev socket,path=/tmp/virtio_port-org.qemu.guest_agent.0-20160824-013223-NfyNFKcA,nowait,id=idNMrD6X,server \ -device virtserialport,bus=virtio_serial_pci0.0,name=org.qemu.guest_agent.0,chardev=idNMrD6X,id=id2ILF12 \ -device pci-ohci,id=usb1,bus=pci.0,addr=04 \ -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pci.0,addr=05,disable-legacy=off,disable-modern=on \ -drive id=drive_image1,if=none,snapshot=on,aio=threads,cache=none,format=qcow2,file=/home/staf-kvm-devel/workspace/usr/share/avocado/data/avocado-vt/images/RHEL-Server-7.3-ppc64le-virtio-scsi.qcow2 \ -device scsi-hd,id=image1,drive=drive_image1 \ -device virtio-net-pci,mac=9a:2b:2c:2d:2e:2f,id=id7nBMZ4,vectors=4,netdev=idcM2plM,bus=pci.0,addr=06,disable-legacy=off,disable-modern=on \ -netdev tap,id=idcM2plM,vhost=on \ -m 8192 \ -smp 8,maxcpus=8,cores=4,threads=1,sockets=2 \ -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \ -device usb-kbd \ -device usb-mouse \ -vnc :0 \ -rtc base=utc,clock=host \ -boot order=cdn,once=c,menu=off,strict=off \ -enable-kvm \ -monitor stdio
Tried with closed SElinux, It works well. So the problem may related with how to let the cmd "guest-set-user-password" work under SElinux.
There is a bug about qemu-ga running under SELinux. https://bugzilla.redhat.com/show_bug.cgi?id=1243458 This bug has been fixed before. So I mark the bug to be regression keyword. If this is not the same problem. Please change back.
after fork/exec chpasswd checks selinux permissions: status = selinux_check_access(user_context, user_context, "passwd", "passwd", NULL); and status = -1. There is nothing in log/messages. Moving to selinux-policy for further help/fix
Hi, Could you run re-test the scenario in permissive mode: # setenforce 0 and after test attach output of: # ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent Thank you.
Guest: [root@localhost ~]# setenforce 0 [root@localhost ~]# Host: guest agent: {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "a3ZtYXV0b3Rlc3Q="}} {"return": {}} Guest: [root@localhost ~]# ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent ---- time->Fri Sep 2 20:59:23 2016 type=USER_AVC msg=audit(1472821163.758:116): pid=3062 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=passwd exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?' ---- time->Fri Sep 2 20:59:48 2016 type=USER_AVC msg=audit(1472821188.203:118): pid=3109 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:passwd_t:s0 msg='avc: denied { passwd } for scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=passwd exe="/usr/sbin/chpasswd" sauid=0 hostname=? addr=? terminal=?' ---- time->Fri Sep 2 21:00:01 2016 type=USER_AVC msg=audit(1472821201.682:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Hi, Could you load local policy and then try to reproduce it in enforcing state? 1. # setenforce 1 2. $ cat virt_qemu_passwd.cil (allow virt_qemu_ga_t self (passwd (passwd))) 3. # semodule -i virt_qemu_passwd.cil 4. reproduce the scenario. If it will work, I'll add fixes.
Hi, It works with the given method. [root@localhost ~]# getenforce Enforcing [root@localhost ~]# cat virt_qemu_passwd.cil (allow virt_qemu_ga_t self (passwd (passwd))) [root@localhost ~]# semodule -i virt_qemu_passwd.cil [root@localhost ~]# {"execute": "guest-set-user-password", "arguments": {"crypted": false, "username": "root", "password": "MTIzNDU2"}} {"return": {}}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html