1747960 – selinux policy prevent guest-fstrim command executing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1747960 - selinux policy prevent guest-fstrim command executing

Summary: selinux policy prevent guest-fstrim command executing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.3
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	1690291 1738845 1823636 (view as bug list)
Depends On:
Blocks:	2070424
TreeView+	depends on / blocked

Reported:	2019-09-02 11:08 UTC by FuXiangChun
Modified:	2022-03-31 07:36 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Clones:	2070424 (view as bug list)
Environment:
Last Closed:	2020-11-04 01:55:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4528	0	None	None	None	2020-11-04 01:56:19 UTC

Description FuXiangChun 2019-09-02 11:08:19 UTC

Description of problem:
Enabled selinux inside guest. Fail to execute guest-fstrim qemu-guest-agent command. 

Version-Release number of selected component (if applicable):
qemu-guest-agent-4.1.0-5.module+el8.1.0+4076+b5e41ebc.x86_64
selinux-policy-3.14.3-18.el8.noarch
selinux-policy-targeted-3.14.3-18.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. In host
#modprobe scsi_debug lbpu=1 lbpws=1  

2. In host
#lsscsi in host
[3:0:0:0]    disk    Linux    scsi_debug       0188  /dev/sdj

3. In host
#sg_vpd -p0xb2 /dev/sdj

4. Boot guest

-device virtio-scsi-pci,id=scsi1 -drive file=/dev/sdj,if=none,id=drive-data-disk,format=raw,cache=none,aio=native,werror=stop,rerror=stop,discard=on -device scsi-block,drive=drive-data-disk,bus=scsi1.0,id=data-disk 

5. Inside Rhel8.1 guest:
mount and write a file to the disk and then delete it:
# mount /dev/sdb /home/test1
# df -h
# dd if=/dev/zero of=/home/test1/file bs=1M count=4  
# rm -rf /home/test1/file

6.send agent command
{"execute":"guest-fstrim"}

Actual results:
{"return": {"paths": [{"path": "/home/test1", "error": "failed to open: Permission denied"}, {"minimum": 0, "path": "/boot", "trimmed": 816095232}, {"minimum": 0, "path": "/", "trimmed": 13208768512}]}}


If disable selinux inside guest. It works.
{"execute":"guest-fstrim"}
{"return": {"paths": [{"minimum": 512, "path": "/home/test1", "trimmed": 0}, {"minimum": 0, "path": "/boot", "trimmed": 816095232}, {"minimum": 0, "path": "/", "trimmed": 13207470080}]}


Expected results:
works

Additional info:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=PROCTITLE msg=audit(09/02/2019 15:00:12.919:133) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 15:00:12.919:133) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x562ee988c4e0 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_APPEND|O_NONBLOCK a3=0x0 items=0 ppid=1 pid=3907 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 15:00:12.919:133) : avc:  denied  { dac_override } for  pid=3907 comm=qemu-ga capability=dac_override  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(09/02/2019 18:00:22.567:110) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 18:00:22.567:110) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x557758cf2b00 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 18:00:22.567:110) : avc:  denied  { read } for  pid=1978 comm=qemu-ga name=/ dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/02/2019 18:03:16.810:112) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 18:03:16.810:112) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x557758cf2660 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 18:03:16.810:112) : avc:  denied  { read } for  pid=1978 comm=qemu-ga name=/ dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 
----
type=USER_AVC msg=audit(09/02/2019 18:03:42.174:114) : pid=1981 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/02/2019 18:03:42.178:115) : pid=3319 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-daemon sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/02/2019 18:03:42.178:116) : pid=2553 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/bin/dbus-daemon sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(09/02/2019 18:03:49.722:117) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 18:03:49.722:117) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x557758cf3e20 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 18:03:49.722:117) : avc:  denied  { open } for  pid=1978 comm=qemu-ga path=/home/test1 dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(09/02/2019 18:03:49.722:117) : avc:  denied  { read } for  pid=1978 comm=qemu-ga name=/ dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(09/02/2019 18:03:49.722:118) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 18:03:49.722:118) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x6 a1=0xc0185879 a2=0x7fffd701e770 a3=0x0 items=0 ppid=1 pid=1978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 18:03:49.722:118) : avc:  denied  { ioctl } for  pid=1978 comm=qemu-ga path=/home/test1 dev="sdb" ino=2 ioctlcmd=0x5879 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=USER_AVC msg=audit(09/02/2019 18:46:32.113:132) : pid=1981 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/02/2019 18:46:32.115:133) : pid=2553 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/bin/dbus-daemon sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/02/2019 18:46:32.116:134) : pid=3319 uid=root auid=root ses=2 subj=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/bin/dbus-daemon sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(09/02/2019 18:46:39.675:135) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 18:46:39.675:135) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x557758cf54d0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 18:46:39.675:135) : avc:  denied  { read } for  pid=1978 comm=qemu-ga name=/ dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/02/2019 19:06:22.870:140) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo 
type=SYSCALL msg=audit(09/02/2019 19:06:22.870:140) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x557758cf6c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
type=AVC msg=audit(09/02/2019 19:06:22.870:140) : avc:  denied  { read } for  pid=1978 comm=qemu-ga name=/ dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

Comment 1 Milos Malik 2019-09-03 07:23:53 UTC

Do both machines (host and guest) have SELinux enabled?

Comment 2 Lukas Vrabec 2019-09-03 16:15:36 UTC

This is same issue like rhbz#1748079.

Comment 3 Lukas Vrabec 2019-09-03 19:02:05 UTC

*** Bug 1690291 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2019-09-03 19:07:22 UTC

*** Bug 1738845 has been marked as a duplicate of this bug. ***

Comment 5 FuXiangChun 2019-09-04 01:43:18 UTC

(In reply to Milos Malik from comment #1)
> Do both machines (host and guest) have SELinux enabled?

No, It only enabled SELinux inside guest.

Comment 6 Michal Privoznik 2019-09-25 13:30:30 UTC

(In reply to Lukas Vrabec from comment #2)
> This is same issue like rhbz#1748079.

It actually doesn't. The difference is that in the bug you're referencing libvirt prevented itself from setting a different SELinux label on a disk image that's already in use. In this bug qemu guest agent is unable to perform fstrim. This needs to be fixed in selinux policy.

Comment 7 Zdenek Pytela 2019-12-12 17:33:46 UTC

Hey folks,

The root directory on the sdb2 device has no label:

type=AVC msg=audit(09/02/2019 19:06:22.870:140) : avc:  denied  { read } for  pid=1978 comm=qemu-ga name=/ dev="sdb" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

It may be similar for other files on the filesystem, but we do not have enough data to assert that. Anyway, this issue needs to be fixed on the device used.

Additionally, DAC permissions may also need to be adjusted so that root does not require CAP_DAC_OVERRIDE, but this is not completely clear as in the audit logs we can see a set of 2 possibly independent actions.

Switching the component to qemu-kvm as it seems to be the closest one in the dropdown to choose.
Should there be any question on interpreting the AVC denials, feel free to ask.

Comment 8 Ademar Reis 2020-02-05 23:04:39 UTC

QEMU has been recently split into sub-components and as a one-time operation to avoid breakage of tools, we are setting the QEMU sub-component of this BZ to "General". Please review and change the sub-component if necessary the next time you review this BZ. Thanks

Comment 9 xiagao 2020-02-24 09:09:27 UTC

Hit a similar issue.

1. boot up guest with two disks and check selinux policy.
# getenforce
Enforcing

2. format the data disk and mount
# mkfs.ext4 /dev/sda1
# mount /dev/sda1 /media

3. issue fsfreeze cmd
{ "execute": "guest-fsfreeze-freeze"}
{"error": {"class": "GenericError", "desc": "failed to open /media: Permission denied"}}

4.# setenforce 0
[root@vm-74-77 home]# getenforce
Permissive

5. issue fsfreeze cmd
{ "execute": "guest-fsfreeze-freeze"}
{"return": 3}

pkg:
[root@vm-74-77 home]# rpm -qa |grep agent
qemu-guest-agent-2.12.0-98.module+el8.2.0+5698+10a84757.x86_64

Comment 10 Milos Malik 2020-02-24 10:38:45 UTC

Are there any SELinux denials?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Is the /dev/sda1 device labeled correctly?

# restorecon -Rvn /media

Comment 12 Jiri Denemark 2020-02-24 22:07:20 UTC

This is all happening in a *guest*, where qemu-ga is running and trying to do
its job, which selinux forbids in enforcing mode. This has nothing to do with
labeling of host resources done by libvirt.

Thus the solution needs to be negotiated between qemu-ga and selinux-policy.
IMHO requiring any specific labels on any file system for qemu-ga to be able
to perform fsfreeze would be strange. I can imagine a selinux bool which would
enable qemu-ga (virt_qemu_ga_t) do fo fsfreeze on any mount point so that the
guest admin can decide whether they want fsfreeze to work or not. But I guess
who know how fsfreeze is implemented in qemu-ga could talk to selinux guys and
come up with other options and choose the right one.

BTW, shouldn't there be a subcomponent for guest side stuff (qemu-ga)?

Comment 15 xiagao 2020-02-26 00:38:10 UTC

(In reply to Milos Malik from comment #10)
> Are there any SELinux denials?
> 
> # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

yes.

----
type=USER_AVC msg=audit(02/26/2020 03:31:40.968:33) : pid=941 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.14 spid=1018 tpid=1023 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:realmd_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(02/26/2020 03:31:50.684:72) : pid=941 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.14 spid=1018 tpid=1023 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:realmd_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(02/26/2020 08:32:09.652:93) : pid=941 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.14 spid=1018 tpid=1023 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:realmd_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(02/26/2020 08:32:39.586:116) : pid=941 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.14 spid=1018 tpid=1023 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:system_r:realmd_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=AVC msg=audit(02/26/2020 08:34:46.101:119) : avc:  denied  { read } for  pid=938 comm=qemu-ga name=/ dev="sda1" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 
----
type=AVC msg=audit(02/26/2020 08:34:46.101:120) : avc:  denied  { read } for  pid=938 comm=qemu-ga name=/ dev="sda1" ino=2 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 


> 
> Is the /dev/sda1 device labeled correctly?
> 
> # restorecon -Rvn /media

# restorecon -Rvn /media
Would relabel /media from system_u:object_r:unlabeled_t:s0 to system_u:object_r:mnt_t:s0
Would relabel /media/lost+found from system_u:object_r:unlabeled_t:s0 to system_u:object_r:mnt_t:s0

Comment 16 Marc-Andre Lureau 2020-02-27 13:51:36 UTC

Why does /media lose mnt_t after mount ?

Can you make qemu-ga permission for fstrim more permissive, so it can trim all mount points?

In any case, I don't see what solution qemu-ga could have here.

thanks

Comment 17 qing.wang 2020-04-14 07:02:50 UTC

*** Bug 1823636 has been marked as a duplicate of this bug. ***

Comment 18 John Ferlan 2020-07-06 18:11:40 UTC

Zdenek Pytela - a needinfo on Milos Malik has gone unanswered since Feb - perhaps you can help move this along?

Comment 19 Zdenek Pytela 2020-07-07 13:16:54 UTC

John,

Without further context this answer may not be complete. I suppose /media is an empty directory first: it gets mnt_t type which ic correct. If you mount a filesystem to /media, all files and directories from the filesystem appear on this mountpoint, including their SELinux context. If the filesystem does not contain SELinux context or does not support extended attributes at all, unlabeled_t as the type appears.

Comment 20 Marc-Andre Lureau 2020-07-24 09:35:42 UTC

(In reply to Zdenek Pytela from comment #19)
> John,
> 
> Without further context this answer may not be complete. I suppose /media is
> an empty directory first: it gets mnt_t type which ic correct. If you mount
> a filesystem to /media, all files and directories from the filesystem appear
> on this mountpoint, including their SELinux context. If the filesystem does
> not contain SELinux context or does not support extended attributes at all,
> unlabeled_t as the type appears.

What can qemu-ga do? restorecon before freeze? That sounds wrong.

Can SELinux rules be more permissive for qemu-ga to freeze any FS?

Comment 21 Zdenek Pytela 2020-07-24 20:09:39 UTC

Marc-Andre,

There are permissions we can allow in the policy if it it required.

However, can you help me with understanding what is going on?
What is the "freeze" used for?
Why the mounted filesystems were not created with selinux enabled?
Is there an actual use case available?

Comment 22 Marc-Andre Lureau 2020-07-26 12:52:40 UTC

(In reply to Zdenek Pytela from comment #21)
> However, can you help me with understanding what is going on?
> What is the "freeze" used for?

Afaik, the qemu guest agent can help migration load/time (or snapshot, or other cases) by triming and freezing all filesystems:

https://git.qemu.org/?p=qemu.git;a=blob;f=qga/qapi-schema.json;h=4be9aad48e26931022663801e0123f479792e899;hb=HEAD#l511
https://git.qemu.org/?p=qemu.git;a=blob;f=qga/qapi-schema.json;h=4be9aad48e26931022663801e0123f479792e899;hb=HEAD#l450

> Why the mounted filesystems were not created with selinux enabled?

That's out of qemu-ga control.

Comment 23 Zdenek Pytela 2020-07-27 14:11:47 UTC

Thank you for the answers. I think we can switch the component to selinux-policy and resolve it 
- either for this particular request, i. e. for images with no selinux extended attributes
- or for all types of files/dirs allowing quite a generic access: in this case it would grant too many permissions to the virt_qemu_ga_t domain (qemu-ga is the command) and possibly pose a security risk. Would be okay then to only allow the access when a boolean (e. g. virt_qemu_ga_read_all_files) is turned on? With the boolean in place, virt_qemu_ga_t would not have this access until enabled by an administrator or a script.
Additionally, is read access sufficient to finish the operation?
Is there a test for this feature available? With selinux permissive, it would be good to gather all possible subsequent denials.


Also note the USER_AVCs from c#15 are allowed in the current selinux-policy package version/

Comment 24 Marc-Andre Lureau 2020-07-28 08:20:28 UTC

(In reply to Zdenek Pytela from comment #23)
> Thank you for the answers. I think we can switch the component to
> selinux-policy and resolve it 
> - either for this particular request, i. e. for images with no selinux
> extended attributes
> - or for all types of files/dirs allowing quite a generic access: in this
> case it would grant too many permissions to the virt_qemu_ga_t domain
> (qemu-ga is the command) and possibly pose a security risk. Would be okay
> then to only allow the access when a boolean (e. g.
> virt_qemu_ga_read_all_files) is turned on? With the boolean in place,
> virt_qemu_ga_t would not have this access until enabled by an administrator
> or a script.

The second option seems good to me. Do we already have other selinux bool for qemu-ga ?

> Additionally, is read access sufficient to finish the operation?

Probably not, since it can do ioctl(fd, FITRIM) & ioctl(fd, FIFREEZE/FITHAW) on them

> Is there a test for this feature available? With selinux permissive, it
> would be good to gather all possible subsequent denials.

Unfortunately, most qemu-ga tests are manual, here following the steps in the comments. QA might have some extra test/avocado scripts.

> 
> Also note the USER_AVCs from c#15 are allowed in the current selinux-policy
> package version/

ok, thanks

Comment 25 Zdenek Pytela 2020-07-28 09:55:54 UTC

(In reply to Marc-Andre Lureau from comment #24)
> (In reply to Zdenek Pytela from comment #23)
> > Thank you for the answers. I think we can switch the component to
> > selinux-policy and resolve it 
> > - either for this particular request, i. e. for images with no selinux
> > extended attributes
> > - or for all types of files/dirs allowing quite a generic access: in this
> > case it would grant too many permissions to the virt_qemu_ga_t domain
> > (qemu-ga is the command) and possibly pose a security risk. Would be okay
> > then to only allow the access when a boolean (e. g.
> > virt_qemu_ga_read_all_files) is turned on? With the boolean in place,
> > virt_qemu_ga_t would not have this access until enabled by an administrator
> > or a script.
> 
> The second option seems good to me. Do we already have other selinux bool
> for qemu-ga ?

  # semanage boolean -l|grep qemu_ga
virt_read_qemu_ga_data         (off  ,  off)  Allow qemu-ga to read qemu-ga date.
virt_rw_qemu_ga_data           (off  ,  off)  Allow qemu-ga to manage qemu-ga date.

This is, however, the other way round, allowing other domain deal with files labeled virt_qemu_ga_data_t.

> 
> > Additionally, is read access sufficient to finish the operation?
> 
> Probably not, since it can do ioctl(fd, FITRIM) & ioctl(fd, FIFREEZE/FITHAW)
> on them
> 
We usually allow the following set:

getattr read ioctl lock

and optionally open (supposedly required in this case) and map (supposedly not); particularly, as I understand, no write permission is necessary. The target set is files, directories, symlinks. Can we expect there are also device files, named pipes, socket files etc. in the image?

> > Is there a test for this feature available? With selinux permissive, it
> > would be good to gather all possible subsequent denials.
> 
> Unfortunately, most qemu-ga tests are manual, here following the steps in
> the comments. QA might have some extra test/avocado scripts.
That's really unfortunate, there is a risk the fix in selinux-policy may not be complete, and we will hardly be able to perform correct functional testing.

Dehan Meng: Will you be able to help with testing?


Switching the component given the latest development.

Comment 26 Zdenek Pytela 2020-07-30 15:34:53 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/317

Please review to assure no important piece is missing.
The proposed boolean name is virt_qemu_ga_read_nonsecurity_files.

This is the list of permissions to be added:
allow virt_qemu_ga_t non_security_file_type:dir { getattr search open read lock ioctl };
allow virt_qemu_ga_t non_security_file_type:file { open { getattr read ioctl lock } };
allow virt_qemu_ga_t non_security_file_type:lnk_file { getattr read };

Comment 31 dehanmeng 2020-08-17 07:44:08 UTC

Still Hit this issue again

Version-Release：
1.selinux-policy-3.14.3-51.el8.noarch
2. Four qga version :
  1) qemu-guest-agent-5.1.0-2.module+el8.3.0+7652+b30e6901.x86_64 / 
  2) qemu-guest-agent-5.1.0-0.scrmod+el8.3.0+7646+9f889f10.wrb200812.x86_64 / 
  3) qemu-guest-agent-4.2.0-31.module+el8.3.0+7437+4bb96e0d / 
  4) qemu-guest-agent-4.2.0-32.module+el8.3.0+7629+c86ce105.x86_64
above four version of qga in guest that I run  were hit this issue again 

describe steps:
1. boot up guest with two disk successfully and check selinux policy.
#getenforce
Enforcing

2.format the data disk and mount
# mkfs.ext4 /dev/sdb
# mount /dev/sda1 /mnt/sdb
3. issue ping,status,fsfreeze cmd
{"execute":"guest-ping"}	
{"return": {}}
{"execute":"guest-fsfreeze-status"}
{"return": "thawed"}
{ "execute": "guest-fsfreeze-freeze"}
{"error": {"class": "GenericError", "desc": "failed to open /mnt/sdb: Permission denied"}}

expected result:
{ "execute": "guest-fsfreeze-freeze"}
{"return": 3}

4.issue command `setenforce 0`
# getenforce
Permissive

5. issue fsfreeze cmd
{ "execute": "guest-fsfreeze-freeze"}
{"return": 3}

Comment 32 Zdenek Pytela 2020-08-17 08:21:14 UTC

Dehan,

Just ensuring: has the virt_qemu_ga_read_nonsecurity_files boolean been turned on before testing?

If yes, please include AVC denials from the step 2.

Comment 33 dehanmeng 2020-08-17 12:30:01 UTC

(In reply to Zdenek Pytela from comment #32)
> Dehan,
> 
> Just ensuring: has the virt_qemu_ga_read_nonsecurity_files boolean been
> turned on before testing?
> 
> If yes, please include AVC denials from the step 2.

Zdenek 

I've checked virt_qemu_ga_read_nonsecurity_files boolean was off .
and then I tried to setsebool boolean virt_qemu_ga_read_nonsecurity_files to on,permission accessed. 
So I need to set selinux boolean value before testing every single time?

thanks,Zdenek

Comment 34 Zdenek Pytela 2020-08-17 12:47:24 UTC

Dehan,

The boolean is turned off by default, see the previous discussion for the context. Turning it on using semanage boolean or setsebool -P commands, the change is permanent; otherwise is valid until reboot.

This is the default state:

  # semanage boolean -l | grep virt_qemu_ga_read_nonsecurity_files
virt_qemu_ga_read_nonsecurity_files (off  ,  off)  Allow qemu-ga read all non-security file types.

Comment 35 dehanmeng 2020-08-20 07:33:01 UTC

(In reply to Zdenek Pytela from comment #34)
> Dehan,
> 
> The boolean is turned off by default, see the previous discussion for the
> context. Turning it on using semanage boolean or setsebool -P commands, the
> change is permanent; otherwise is valid until reboot.
> 
> This is the default state:
> 
>   # semanage boolean -l | grep virt_qemu_ga_read_nonsecurity_files
> virt_qemu_ga_read_nonsecurity_files (off  ,  off)  Allow qemu-ga read all
> non-security file types.

thanks for you explanation ,I've done with your suggestions and know how to set selinux boolean value ,Added steps to case yet.

thanks
dehan

Comment 38 errata-xmlrpc 2020-11-04 01:55:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528

Note You need to log in before you can comment on or make changes to this bug.