Bug 1658239 - SELinux is preventing qemu-ga from read access on the file dev.
Summary: SELinux is preventing qemu-ga from read access on the file dev.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-11 15:16 UTC by Paul Stauffer
Modified: 2019-03-14 12:34 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-14 12:34:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1592145 None CLOSED SELinux is preventing qemu-ga from 'read' accesses on the file dev. 2019-10-23 05:22:48 UTC

Description Paul Stauffer 2018-12-11 15:16:07 UTC
Starting with the release of selinux-policy-3.13.1-229 about a week ago, all of our EL7 VMs have been flooding our logs with SELinux denials related to the QEMU Guest Agent accessing "dev":


SELinux is preventing qemu-ga from read access on the file dev.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-ga should be allowed read access on the dev file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga
# semodule -i my-qemuga.pp


Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                dev [ file ]
Source                        qemu-ga
Source Path                   qemu-ga
Port                          <Unknown>
Host                          [redacted]
Source RPM Packages           qemu-guest-agent-2.12.0-2.el7.x86_64
Target RPM Packages           filesystem-3.2-25.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     [redacted]
Platform                      Linux [redacted] 3.10.0-862.14.4.el7.x86_64
                              #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64
Alert Count                   7088
First Seen                    2018-12-05 14:07:57 EST
Last Seen                     2018-12-11 07:59:58 EST
Local ID                      813a2bf4-7850-43b5-af02-399b055f7550

Raw Audit Messages
type=AVC msg=audit(1544533198.575:1433387): avc:  denied  { read } for  pid=28018 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1544533198.575:1433387): arch=x86_64 syscall=open success=no exit=EACCES a0=55785c614dca a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=28018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: qemu-ga,virt_qemu_ga_t,proc_net_t,file,read


These denials come in a few different closely-related variants.  Some (as above) use the form "preventing qemu-ga from", whereas others use the form "preventing /usr/bin/qemu-ga from".  Some denials (as above) are for "read access on the file dev.", whereas others are for "getattr access on the file /proc/<pid>/net/dev.", and yet others are for "open access on the file /proc/<pid>/net/dev.".  These later two varients suggest that this is likely the absolute path of the file "dev" mentioned in the initial variant.

At a quick glance, the QEMU Guest Agent seems to be working fine despite these denials.  It's unclear what functionality might be impacted by these denials, and thus it's hard to judge the severity of this bug.

See also Bug 1592145 which may be the same issue already fixed in Fedora.

Comment 2 Zdenek Pytela 2019-03-14 12:34:33 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.