I tried to run qemu-guest-agent over vsock using this unit file: $ cat /etc/systemd/system/qemu-guest-agent.service [Unit] Description=QEMU Guest Agent IgnoreOnIsolate=True [Service] UMask=0077 EnvironmentFile=/etc/sysconfig/qemu-ga ExecStart=/usr/bin/qemu-ga \ --method=vsock-listen \ --path=3:1024 \ --blacklist=${BLACKLIST_RPC} \ -F${FSFREEZE_HOOK_PATHNAME} Restart=always RestartSec=0 [Install] 'systemctl start qemu-guest-agent' fails unless I use 'setenforce 0': $ LC_ALL=en_US.utf-8 sealert -l 55bbbb98-bcec-4f95-bc4e-0f9985a9f7c4 SELinux is preventing qemu-ga from create access on the vsock_socket Inconnu. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-ga should be allowed create access on the Inconnu vsock_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-ga' --raw | audit2allow -M my-qemuga # semodule -X 300 -i my-qemuga.pp Additional Information: Source Context system_u:system_r:virt_qemu_ga_t:s0 Target Context system_u:system_r:virt_qemu_ga_t:s0 Target Objects Inconnu [ vsock_socket ] Source qemu-ga Source Path qemu-ga Port <Unknown> Host fedora36.ramen.dolet.fergeau.eu Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.15-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.15-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name fedora36.ramen.dolet.fergeau.eu Platform Linux fedora36.ramen.dolet.fergeau.eu 5.19.13-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 4 15:42:43 UTC 2022 x86_64 x86_64 Alert Count 6 First Seen 2022-10-06 15:16:45 CEST Last Seen 2022-10-06 15:31:54 CEST Local ID 55bbbb98-bcec-4f95-bc4e-0f9985a9f7c4 Raw Audit Messages type=AVC msg=audit(1665063114.844:460): avc: denied { create } for pid=1310 comm="qemu-ga" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=vsock_socket permissive=1 Hash: qemu-ga,virt_qemu_ga_t,virt_qemu_ga_t,vsock_socket,create
Thanks for the report. I don't see any reason to not allow this in the selinux policy. It's a valid, if non-default, usecase.
I was able to get it to work using this selinux .te file: module qemuga-vsock 1.0; require { type virt_qemu_ga_t; class vsock_socket { bind create getattr listen accept read write }; } #============= virt_qemu_ga_t ============== allow virt_qemu_ga_t self:vsock_socket { bind create getattr listen accept read write };
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
FEDORA-2023-eaebcb91e7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.