1618839 – /usr/bin/qemu-ga tries to read /run/utmp (and fails to do so due to SELinux)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1618839 - /usr/bin/qemu-ga tries to read /run/utmp (and fails to do so due to SELinux)

Summary: /usr/bin/qemu-ga tries to read /run/utmp (and fails to do so due to SELinux)

Keywords:
Status:	CLOSED DUPLICATE of bug 1571202
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-17 18:28 UTC by Robert Scheck
Modified:	2021-12-10 17:03 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-17 15:00:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2018-08-17 18:28:24 UTC

Description of problem:
Aug 17 14:01:16 tux.example.net userhelper[15177]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:01:16 tux.example.net userhelper[15177]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent'
Aug 17 14:03:16 tux.example.net userhelper[15194]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:03:16 tux.example.net userhelper[15194]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent'
Aug 17 14:04:16 tux.example.net userhelper[15206]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:04:16 tux.example.net userhelper[15206]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent'
Aug 17 14:05:17 tux.example.net userhelper[15217]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:05:17 tux.example.net userhelper[15217]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent'
Aug 17 14:06:39 tux.example.net userhelper[15230]: pam_succeed_if(ovirt-flush-caches:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:06:39 tux.example.net userhelper[15230]: running '/usr/share/ovirt-guest-agent/scripts/hooks/defaults/flush-caches' with root privileges on behalf of 'ovirtagent'
Aug 17 14:06:39 tux.example.net kernel: flush-caches (15230): drop_caches: 3
Aug 17 14:07:19 tux.example.net userhelper[15236]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:07:19 tux.example.net userhelper[15236]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent'
Aug 17 14:07:57 tux.example.net userhelper[15242]: pam_succeed_if(ovirt-container-list:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:07:57 tux.example.net userhelper[15242]: running '/usr/share/ovirt-guest-agent/container-list' with root privileges on behalf of 'ovirtagent'
Aug 17 14:07:57 tux.example.net userhelper[15243]: pam_succeed_if(diskmapper:auth): requirement "user = ovirtagent" was met by user "ovirtagent"
Aug 17 14:07:57 tux.example.net userhelper[15243]: running '/usr/share/ovirt-guest-agent/diskmapper.script' with root privileges on behalf of 'ovirtagent'

type=AVC msg=audit(1534507719.235:1827): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507719.235:1828): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507729.241:1829): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507729.241:1830): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507739.240:1831): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507739.241:1832): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507749.246:1833): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507749.246:1834): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507759.246:1835): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507759.246:1836): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507769.240:1841): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507769.240:1842): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507779.239:1843): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507779.239:1844): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507789.244:1845): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507789.244:1846): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507799.244:1847): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507799.244:1848): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507809.233:1849): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507809.233:1850): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507819.246:1851): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507819.246:1852): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507839.241:1853): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507839.241:1854): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507849.248:1855): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507849.248:1856): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507859.248:1857): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507859.248:1858): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507869.241:1859): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507869.241:1860): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507879.229:1861): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507879.229:1862): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507889.249:1865): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507889.249:1866): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507899.239:1867): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534507899.239:1868): avc:  denied  { read } for  pid=445 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13573 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Version-Release number of selected component (if applicable):
qemu-guest-agent-2.8.0-2.el7_5.1.x86_64
selinux-policy-3.13.1-192.el7_5.6.noarch

How reproducible:
Not sure.

Actual results:
/usr/bin/qemu-ga tries to read /run/utmp (and fails to do so due to SELinux).

Expected results:
/usr/bin/qemu-ga should either not try to read /run/utmp or SELinux should
not forbid it.

Additional info:
While I can see similarities with bug #1584318 it's not a duplicate.

Comment 2 Robert Scheck 2018-08-17 18:31:47 UTC

Cross-filed case 02164447 at the Red Hat customer portal.

Comment 3 Robert Scheck 2018-08-17 18:33:39 UTC

On another system where SELinux was not enforced it looks like this:

type=AVC msg=audit(1534508009.175:75922): avc:  denied  { read } for  pid=594 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508009.175:75922): avc:  denied  { open } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508009.176:75923): avc:  denied  { lock } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508019.173:75924): avc:  denied  { read } for  pid=594 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508019.173:75924): avc:  denied  { open } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508019.174:75925): avc:  denied  { lock } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508039.179:75988): avc:  denied  { read } for  pid=594 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508039.179:75988): avc:  denied  { open } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508039.180:75989): avc:  denied  { lock } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508049.173:75997): avc:  denied  { read } for  pid=594 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508049.173:75997): avc:  denied  { open } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508049.173:75998): avc:  denied  { lock } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508069.183:76011): avc:  denied  { read } for  pid=594 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508069.183:76011): avc:  denied  { open } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508069.183:76012): avc:  denied  { lock } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508079.177:76031): avc:  denied  { read } for  pid=594 comm="qemu-ga" name="utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508079.177:76031): avc:  denied  { open } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1534508079.177:76032): avc:  denied  { lock } for  pid=594 comm="qemu-ga" path="/run/utmp" dev="tmpfs" ino=13468 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Comment 4 Robert Scheck 2018-08-17 18:38:55 UTC

Regarding "How reproducible": This likely happened on all guests during
upgrade from RHV 4.1 to RHV 4.2 on the RHV-H systems (interestingly, I do
not see any /usr/share/ovirt-guest-agent/* log stuff on other systems
around the same time, but before or after the AVC denied messages showed
up).

Comment 5 Michael 2018-08-20 06:00:34 UTC

Hi all:

The reproduce step as follow, the Bug can be reproduce in RHEL7.6 on RHEL7.6 host. 

Step [1]: Boot the guest:
/usr/libexec/qemu-kvm -enable-kvm -M pc -cpu host -nodefaults -smp 4 -m 2G -name 001 \
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtserialport,bus=virtio-serial0.0,chardev=qga0,name=org.qemu.guest_agent.0 \
-vga qxl -monitor stdio -boot menu=on -vnc :2 \
-netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=74:46:a0:8e:10:1a \
-drive file=/home/choma/rhel-7.6-915.qcow2,if=none,id=guest-img,format=qcow2,werror=stop,rerror=stop -device virtio-blk-pci,drive=guest-img,id=os-disk,bootindex=1

Make sure the qemu-guest-agent.service is at active running.


Step [2]:Open the socket in host
(host)#nc -U /tmp/qga.sock 

{"execute":"guest-file-open","arguments":{"path":"/run/utmp","mode":"r"}}
{"error": {"class": "GenericError", "desc": "failed to open file '/run/utmp' (mode: 'r'): Permission denied"}}

The Bug is reproduced. 

Step [3]: Then reset the SElinux in guest:
(guest)#setenforce 0 
(guest)#getenforce 
Permissive

Step [4]: reopen the socket and try to read the document:
{"execute":"guest-file-open","arguments":{"path":"/run/utmp","mode":"r"}}
{"return": 1000}

{"execute":"guest-file-read", "arguments":{"handle":1000,"count":1024}}
{"return": {"count": 1024, "buf-b64": "AgAAAAAAAAB+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH5+AAByZWJvb3QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMuMTAuMC04NjIuMTMuMS5lbDcueDg2XzY0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9NeltDkgUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADUAAAB+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH5+AABydW5sZXZlbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADMuMTAuMC04NjIuMTMuMS5lbDcueDg2XzY0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJNelvBzg0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAHsJAAA6MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAByb290AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADowAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "eof": false}}


{"execute":"guest-file-close", "arguments":{"handle":1000}}
{"return": {}}


The issue is gone. 


The system log as follow when the problem is happened:

Aug 20 13:57:41 dhcp-8-181 qemu-ga: info: guest-file-open called, filepath: /run/utmp, mode: r
Aug 20 13:57:44 dhcp-8-181 dbus[691]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Aug 20 13:57:44 dhcp-8-181 dbus[691]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Aug 20 13:57:45 dhcp-8-181 setroubleshoot: SELinux is preventing qemu-ga from read access on the file utmp. For complete SELinux messages run: sealert -l f0ff3f34-d875-4238-96c3-2ff6c7f9898c
Aug 20 13:57:45 dhcp-8-181 python: SELinux is preventing qemu-ga from read access on the file utmp.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-ga should be allowed read access on the utmp file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga#012# semodule -i my-qemuga.pp#012


Thanks

Comment 6 Michael 2018-08-20 06:53:27 UTC

(In reply to Michael from comment #5)
> Hi all:
> 
> The reproduce step as follow, the Bug can be reproduce in RHEL7.6 on RHEL7.6
> host. 
> 
> Step [1]: Boot the guest:
> /usr/libexec/qemu-kvm -enable-kvm -M pc -cpu host -nodefaults -smp 4 -m 2G
> -name 001 \
> -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x7 -chardev
> socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device
> virtserialport,bus=virtio-serial0.0,chardev=qga0,name=org.qemu.guest_agent.0
> \
> -vga qxl -monitor stdio -boot menu=on -vnc :2 \
> -netdev tap,id=hostnet0 -device
> virtio-net-pci,netdev=hostnet0,id=net0,mac=74:46:a0:8e:10:1a \
> -drive
> file=/home/choma/rhel-7.6-915.qcow2,if=none,id=guest-img,format=qcow2,
> werror=stop,rerror=stop -device
> virtio-blk-pci,drive=guest-img,id=os-disk,bootindex=1
> 
> Make sure the qemu-guest-agent.service is at active running.
> 
> 
> Step [2]:Open the socket in host
> (host)#nc -U /tmp/qga.sock 
> 
> {"execute":"guest-file-open","arguments":{"path":"/run/utmp","mode":"r"}}
> {"error": {"class": "GenericError", "desc": "failed to open file '/run/utmp'
> (mode: 'r'): Permission denied"}}
> 
> The Bug is reproduced. 
> 
> Step [3]: Then reset the SElinux in guest:
> (guest)#setenforce 0 
> (guest)#getenforce 
> Permissive
> 
> Step [4]: reopen the socket and try to read the document:
> {"execute":"guest-file-open","arguments":{"path":"/run/utmp","mode":"r"}}
> {"return": 1000}
> 
> {"execute":"guest-file-read", "arguments":{"handle":1000,"count":1024}}
> {"return": {"count": 1024, "buf-b64":
> "AgAAAAAAAAB+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH5+AAByZWJvb3QAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAADMuMTAuMC04NjIuMTMuMS5lbDcueDg2XzY0AAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9NeltDk
> gUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADUAAAB+AAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAH5+AABydW5sZXZlbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADM
> uMTAuMC04NjIuMTMuMS5lbDcueDg2XzY0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJNelvBzg0AAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAABwAAAHsJAAA6MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAByb290AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADowAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "eof": false}}
> 
> 
> {"execute":"guest-file-close", "arguments":{"handle":1000}}
> {"return": {}}
> 
> 
> The issue is gone. 
> 
> 
> The system log as follow when the problem is happened:
> 
> Aug 20 13:57:41 dhcp-8-181 qemu-ga: info: guest-file-open called, filepath:
> /run/utmp, mode: r
> Aug 20 13:57:44 dhcp-8-181 dbus[691]: [system] Activating service
> name='org.fedoraproject.Setroubleshootd' (using servicehelper)
> Aug 20 13:57:44 dhcp-8-181 dbus[691]: [system] Successfully activated
> service 'org.fedoraproject.Setroubleshootd'
> Aug 20 13:57:45 dhcp-8-181 setroubleshoot: SELinux is preventing qemu-ga
> from read access on the file utmp. For complete SELinux messages run:
> sealert -l f0ff3f34-d875-4238-96c3-2ff6c7f9898c
> Aug 20 13:57:45 dhcp-8-181 python: SELinux is preventing qemu-ga from read
> access on the file utmp.#012#012*****  Plugin catchall (100. confidence)
> suggests   **************************#012#012If you believe that qemu-ga
> should be allowed read access on the utmp file by default.#012Then you
> should report this as a bug.#012You can generate a local policy module to
> allow this access.#012Do#012allow this access for now by executing:#012#
> ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga#012# semodule -i
> my-qemuga.pp#012
> 
> 
> Thanks

The Version-Release number as follow:
[1] qemu-guest-agent-2.12.0-2.el7.x86_64
[2] selinux-policy-3.13.1-202.el7.noarch

Comment 7 Marc-Andre Lureau 2018-08-21 18:24:16 UTC

qmp_guest_get_users() calls getutxent()

stracing getutxent() shows that it needs to able to read: /var/run/utmpx and/or /var/run/utmp etc. 

SELinux maintainers may be familiar with that libc call, reassigning

Comment 8 Robert Scheck 2018-09-17 11:51:56 UTC

When is this going to be addressed? This affects RHEL 7.5 guests on RHV 4.2.

Comment 9 Milos Malik 2018-09-17 12:00:04 UTC

# matchpathcon /var/run/utmp 
/var/run/utmp	system_u:object_r:initrc_var_run_t:s0
# sesearch -s virt_qemu_ga_t -t initrc_var_run_t -c file -p read -A -C
Found 1 semantic av rules:
   allow virt_qemu_ga_t initrc_var_run_t : file { ioctl read getattr lock open } ; 

# rpm -qa selinux\* | sortselinux-policy-3.13.1-226.el7.noarch
selinux-policy-devel-3.13.1-226.el7.noarch
selinux-policy-doc-3.13.1-226.el7.noarch
selinux-policy-minimum-3.13.1-226.el7.noarch
selinux-policy-mls-3.13.1-226.el7.noarch
selinux-policy-sandbox-3.13.1-226.el7.noarch
selinux-policy-targeted-3.13.1-226.el7.noarch
# 

Will be fixed as soon as RHEL-7.6 GA.

Comment 10 Milos Malik 2018-09-17 12:48:20 UTC

I believe this bug is a duplicate of BZ#1571202.

Comment 11 Lukas Vrabec 2018-09-17 15:00:02 UTC


*** This bug has been marked as a duplicate of bug 1571202 ***

Comment 12 Michael Watters 2019-02-14 19:36:20 UTC

This is still an issue in RHEL 7.6.  Our audit logs are full of entries similar to below.  All packages included selinux-policy have been updated.

type=PROCTITLE msg=audit(1550172885.138:415972): proctitle=2F7573722F62696E2F71656D752D6761002D2D6D6574686F643D76697274696F2D73657269616C002D2D706174683D2F6465762F76697274696F2D706F7274732F6F72672E71656D752E67756573745F6167656E742E30002D2D626C61636B6C6973743D67756573742D66696C652D6F70656E2C67756573742D66696C652D63
type=AVC msg=audit(1550172885.138:415973): avc:  denied  { read } for  pid=28138 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Comment 13 Milos Malik 2019-02-14 20:01:50 UTC

The SELinux denial mentioned in comment#12 is addressed in BZ#1630347 and the fix will be part of RHEL-7.7.

Note You need to log in before you can comment on or make changes to this bug.