Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1571202

Summary: SELinux prevents qemu-guest-agent from reading+locking the /run/utmp file
Product: Red Hat Enterprise Linux 7 Reporter: Tomáš Golembiovský <tgolembi>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.5CC: agajania, bram.jezeer, lvrabec, mgrepl, mjahoda, mmalik, mthacker, paulds, plautrba, redhat-bugzilla, rik.theys, robert.scheck, simon.jung, ssekidde, toneata, usurse, wattersm, zpytela
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, the SELinux security policy for the QEMU guest agent was too tight and certain rules were missing. As a consequence, the qemu-guest-agent process was not able to read and lock the /run/utmp file. With this update, the missing rules have been added to the policy, and qemu-guest-agent is now able to read and lock /run/utmp.
 Story Points: ---
Clone Of:
: 1631788 (view as bug list) Environment:
Last Closed: 2018-10-30 10:03:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1631788    

Description Tomáš Golembiovský 2018-04-24 09:50:25 UTC 
We are backporting several features of qemu-guest-agent into RHEL 7.5 and there appears to be a selinux issue where the agent cannot access utmp:

Content of audit.log:

type=AVC msg=audit(1524563196.869:178): avc:  denied  { read } for  pid=1327 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13654 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1524563196.869:178): arch=c000003e syscall=2 success=no exit=-13 a0=7f632f9db048 a1=80000 a2=7f632f9db039 a3=0 items=0 ppid=1 pid=1327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

type=PROCTITLE msg=audit(1524563196.869:178): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63
Comment 3 Paul Stauffer 2018-08-22 19:08:52 UTC 
I don't see any specific package versions mentioned here, but with the release of qemu-guest-agent-2.8.0-2.el7_5.1.x86_64 a few days ago, which includes the comment "Backport some features to 2.8 in RHEL 7.5" in its changelog, all of my EL7 VMs have started throwing the AVC denial shown above every few seconds.

I'm not sure exactly what the implications are of the guest agent not being allowed to read from utmp (at a glance, basic agent functions appear to be working) so I'm not sure how serious this us, aside from a massive flood of logs.

I note that this bug is still ON_QA.  Should this have been marked as a blocker for Bug 1598210?
Comment 4 Tomáš Golembiovský 2018-08-22 19:44:11 UTC 
(In reply to Paul Stauffer from comment #3)

> I'm not sure exactly what the implications are of the guest agent not being
> allowed to read from utmp (at a glance, basic agent functions appear to be
> working) so I'm not sure how serious this us, aside from a massive flood of
> logs.

The issue guest-get-users command does not work as QEMU-GA cannot get list of the users.

> 
> I note that this bug is still ON_QA.  Should this have been marked as a
> blocker for Bug 1598210?

Maybe it should have, but that depends on the difficulty of the fix. We certainly wouldn't want to block the release of the other working features because of this.
Comment 8 Lukas Vrabec 2018-09-17 15:00:02 UTC 
*** Bug 1618839 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2018-10-30 10:03:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Comment 16 Michael Watters 2019-02-14 19:37:25 UTC 
Still seeing this on servers running RHEL 7.6.  For example, the following error is shown in the audit logs repeatedly.

type=PROCTITLE msg=audit(1550172885.138:415972): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63
type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for  pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Comment 17 Aram Agajanian 2019-02-14 23:40:31 UTC 
(In reply to Michael Watters from comment #16)
> Still seeing this on servers running RHEL 7.6.  For example, the following
> error is shown in the audit logs repeatedly.
> 
> type=PROCTITLE msg=audit(1550172885.138:415972):
> proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D7
> 3657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D
> 752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652
> D6F70656E2C67756573742D66696C652D63
> type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for 
> pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
> scontext=system_u:system_r:virt_qemu_ga_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file

I believe that is bug #1630347.