Hide Forgot
Starting with the release of selinux-policy-3.13.1-229 about a week ago, all of our EL7 VMs have been flooding our logs with SELinux denials related to the QEMU Guest Agent accessing "dev": SELinux is preventing qemu-ga from read access on the file dev. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-ga should be allowed read access on the dev file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga # semodule -i my-qemuga.pp Additional Information: Source Context system_u:system_r:virt_qemu_ga_t:s0 Target Context system_u:object_r:proc_net_t:s0 Target Objects dev [ file ] Source qemu-ga Source Path qemu-ga Port <Unknown> Host [redacted] Source RPM Packages qemu-guest-agent-2.12.0-2.el7.x86_64 Target RPM Packages filesystem-3.2-25.el7.x86_64 Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name [redacted] Platform Linux [redacted] 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 Alert Count 7088 First Seen 2018-12-05 14:07:57 EST Last Seen 2018-12-11 07:59:58 EST Local ID 813a2bf4-7850-43b5-af02-399b055f7550 Raw Audit Messages type=AVC msg=audit(1544533198.575:1433387): avc: denied { read } for pid=28018 comm="qemu-ga" name="dev" dev="proc" ino=4026531976 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=SYSCALL msg=audit(1544533198.575:1433387): arch=x86_64 syscall=open success=no exit=EACCES a0=55785c614dca a1=0 a2=1b6 a3=24 items=0 ppid=1 pid=28018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) Hash: qemu-ga,virt_qemu_ga_t,proc_net_t,file,read These denials come in a few different closely-related variants. Some (as above) use the form "preventing qemu-ga from", whereas others use the form "preventing /usr/bin/qemu-ga from". Some denials (as above) are for "read access on the file dev.", whereas others are for "getattr access on the file /proc/<pid>/net/dev.", and yet others are for "open access on the file /proc/<pid>/net/dev.". These later two varients suggest that this is likely the absolute path of the file "dev" mentioned in the initial variant. At a quick glance, the QEMU Guest Agent seems to be working fine despite these denials. It's unclear what functionality might be impacted by these denials, and thus it's hard to judge the severity of this bug. See also Bug 1592145 which may be the same issue already fixed in Fedora.
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.