Bug 1426106 - SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 3278.
Summary: SELinux is preventing qemu-system-x86 from 'search' accesses on the directory...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:41235b9e601922d1e9cf5875fed...
Depends On: 1413298
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-23 08:17 UTC by Han Han
Modified: 2017-08-01 15:22 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1413298
Environment:
Last Closed: 2017-08-01 15:22:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
The script of reproducing (274 bytes, application/x-shellscript)
2017-02-23 08:17 UTC, Han Han
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Han Han 2017-02-23 08:17:15 UTC
Created attachment 1256832 [details]
The script of reproducing

+++ This bug was initially created as a clone of Bug #1413298 +++

Description of problem:
I turned off virtual machine.

BTW the searched pid 3278 was pid of libvirt

sh# find /proc/ -inum 32545
/proc/3278
sh# ls -l /proc/3278/exe 
lrwxrwxrwx. 1 root root 0 Jan 13 18:45 /proc/3278/exe -> /usr/sbin/libvirtd
SELinux is preventing qemu-system-x86 from 'search' accesses on the directory 3278.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed search access on the 3278 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c180,c609
Target Context                system_u:system_r:virtd_t:s0-s0:c0.c1023
Target Objects                3278 [ dir ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-233.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.15-300.fc25.x86_64 #1 SMP Thu
                              Dec 15 23:10:23 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2017-01-14 17:39:01 CET
Last Seen                     2017-01-14 17:39:01 CET
Local ID                      5417c5fe-d046-4191-8de3-20d5c6cf25e3

Raw Audit Messages
type=AVC msg=audit(1484411941.773:906): avc:  denied  { search } for  pid=21632 comm="qemu-system-x86" name="3278" dev="proc" ino=32545 scontext=system_u:system_r:svirt_t:s0:c180,c609 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0


Hash: qemu-system-x86,svirt_t,virtd_t,dir,search

Version-Release number of selected component:
selinux-policy-3.13.1-233.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.8.15-300.fc25.x86_64
type:           libreport

AVC deny occurs when destroying the VM.
This bug can be reproduced on:
selinux-policy-3.13.1-121.el7.noarch
qemu-kvm-rhev-2.8.0-4.el7.x86_64
libvirt-3.0.0-2.el7.x86_64

Not reproduced on RHEL7.3:
selinux-policy-3.13.1-102.el7_3.15.noarch
qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64
libvirt-2.0.0-10.el7_3.4.x86_64

Marked as regression.

Comment 5 errata-xmlrpc 2017-08-01 15:22:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.