1571202 – SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1571202 - SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file

Summary: SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (1):	1618839 (view as bug list)
Depends On:
Blocks:	1631788
TreeView+	depends on / blocked

Reported:	2018-04-24 09:50 UTC by Tomáš Golembiovský
Modified:	2022-03-13 14:54 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, the SELinux security policy for the QEMU guest agent was too tight and certain rules were missing. As a consequence, the qemu-guest-agent process was not able to read and lock the /run/utmp file. With this update, the missing rules have been added to the policy, and qemu-guest-agent is now able to read and lock /run/utmp.
Clone Of:
Clones:	1631788 (view as bug list)
Environment:
Last Closed:	2018-10-30 10:03:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3588761	0	None	None	None	2018-08-28 10:34:20 UTC
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:04:01 UTC

Description Tomáš Golembiovský 2018-04-24 09:50:25 UTC

We are backporting several features of qemu-guest-agent into RHEL 7.5 and there appears to be a selinux issue where the agent cannot access utmp:

Content of audit.log:

type=AVC msg=audit(1524563196.869:178): avc:  denied  { read } for  pid=1327 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13654 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1524563196.869:178): arch=c000003e syscall=2 success=no exit=-13 a0=7f632f9db048 a1=80000 a2=7f632f9db039 a3=0 items=0 ppid=1 pid=1327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

type=PROCTITLE msg=audit(1524563196.869:178): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63

Comment 3 Paul Stauffer 2018-08-22 19:08:52 UTC

I don't see any specific package versions mentioned here, but with the release of qemu-guest-agent-2.8.0-2.el7_5.1.x86_64 a few days ago, which includes the comment "Backport some features to 2.8 in RHEL 7.5" in its changelog, all of my EL7 VMs have started throwing the AVC denial shown above every few seconds.

I'm not sure exactly what the implications are of the guest agent not being allowed to read from utmp (at a glance, basic agent functions appear to be working) so I'm not sure how serious this us, aside from a massive flood of logs.

I note that this bug is still ON_QA.  Should this have been marked as a blocker for Bug 1598210?

Comment 4 Tomáš Golembiovský 2018-08-22 19:44:11 UTC

(In reply to Paul Stauffer from comment #3)

> I'm not sure exactly what the implications are of the guest agent not being
> allowed to read from utmp (at a glance, basic agent functions appear to be
> working) so I'm not sure how serious this us, aside from a massive flood of
> logs.

The issue guest-get-users command does not work as QEMU-GA cannot get list of the users.

> 
> I note that this bug is still ON_QA.  Should this have been marked as a
> blocker for Bug 1598210?

Maybe it should have, but that depends on the difficulty of the fix. We certainly wouldn't want to block the release of the other working features because of this.

Comment 8 Lukas Vrabec 2018-09-17 15:00:02 UTC

*** Bug 1618839 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2018-10-30 10:03:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Comment 16 Michael Watters 2019-02-14 19:37:25 UTC

Still seeing this on servers running RHEL 7.6.  For example, the following error is shown in the audit logs repeatedly.

type=PROCTITLE msg=audit(1550172885.138:415972): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63
type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for  pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Comment 17 Aram Agajanian 2019-02-14 23:40:31 UTC

(In reply to Michael Watters from comment #16)
> Still seeing this on servers running RHEL 7.6.  For example, the following
> error is shown in the audit logs repeatedly.
> 
> type=PROCTITLE msg=audit(1550172885.138:415972):
> proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D7
> 3657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D
> 752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652
> D6F70656E2C67756573742D66696C652D63
> type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for 
> pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
> scontext=system_u:system_r:virt_qemu_ga_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file

I believe that is bug #1630347.

Note You need to log in before you can comment on or make changes to this bug.