Bug 1571202 - SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file
Summary: SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
: 1618839 (view as bug list)
Depends On:
Blocks: 1631788
TreeView+ depends on / blocked
 
Reported: 2018-04-24 09:50 UTC by Tomáš Golembiovský
Modified: 2019-02-14 23:40 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the SELinux security policy for the QEMU guest agent was too tight and certain rules were missing. As a consequence, the qemu-guest-agent process was not able to read and lock the /run/utmp file. With this update, the missing rules have been added to the policy, and qemu-guest-agent is now able to read and lock /run/utmp.
Clone Of:
: 1631788 (view as bug list)
Environment:
Last Closed: 2018-10-30 10:03:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3588761 None None None 2018-08-28 10:34:20 UTC
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:04:01 UTC

Description Tomáš Golembiovský 2018-04-24 09:50:25 UTC
We are backporting several features of qemu-guest-agent into RHEL 7.5 and there appears to be a selinux issue where the agent cannot access utmp:

Content of audit.log:

type=AVC msg=audit(1524563196.869:178): avc:  denied  { read } for  pid=1327 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13654 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1524563196.869:178): arch=c000003e syscall=2 success=no exit=-13 a0=7f632f9db048 a1=80000 a2=7f632f9db039 a3=0 items=0 ppid=1 pid=1327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

type=PROCTITLE msg=audit(1524563196.869:178): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63

Comment 3 Paul Stauffer 2018-08-22 19:08:52 UTC
I don't see any specific package versions mentioned here, but with the release of qemu-guest-agent-2.8.0-2.el7_5.1.x86_64 a few days ago, which includes the comment "Backport some features to 2.8 in RHEL 7.5" in its changelog, all of my EL7 VMs have started throwing the AVC denial shown above every few seconds.

I'm not sure exactly what the implications are of the guest agent not being allowed to read from utmp (at a glance, basic agent functions appear to be working) so I'm not sure how serious this us, aside from a massive flood of logs.

I note that this bug is still ON_QA.  Should this have been marked as a blocker for Bug 1598210?

Comment 4 Tomáš Golembiovský 2018-08-22 19:44:11 UTC
(In reply to Paul Stauffer from comment #3)

> I'm not sure exactly what the implications are of the guest agent not being
> allowed to read from utmp (at a glance, basic agent functions appear to be
> working) so I'm not sure how serious this us, aside from a massive flood of
> logs.

The issue guest-get-users command does not work as QEMU-GA cannot get list of the users.

> 
> I note that this bug is still ON_QA.  Should this have been marked as a
> blocker for Bug 1598210?

Maybe it should have, but that depends on the difficulty of the fix. We certainly wouldn't want to block the release of the other working features because of this.

Comment 8 Lukas Vrabec 2018-09-17 15:00:02 UTC
*** Bug 1618839 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2018-10-30 10:03:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Comment 16 Michael Watters 2019-02-14 19:37:25 UTC
Still seeing this on servers running RHEL 7.6.  For example, the following error is shown in the audit logs repeatedly.

type=PROCTITLE msg=audit(1550172885.138:415972): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63
type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for  pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Comment 17 Aram Agajanian 2019-02-14 23:40:31 UTC
(In reply to Michael Watters from comment #16)
> Still seeing this on servers running RHEL 7.6.  For example, the following
> error is shown in the audit logs repeatedly.
> 
> type=PROCTITLE msg=audit(1550172885.138:415972):
> proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D7
> 3657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D
> 752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652
> D6F70656E2C67756573742D66696C652D63
> type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for 
> pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
> scontext=system_u:system_r:virt_qemu_ga_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file

I believe that is bug #1630347.


Note You need to log in before you can comment on or make changes to this bug.