Bug 2219795 - AVC created when named-chroot is enabled and "virsh domfsinfo" command is used [NEEDINFO]
Summary: AVC created when named-chroot is enabled and "virsh domfsinfo" command is used
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: qemu-kvm
Version: 8.8
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Kostiantyn Kostiuk
QA Contact: dehanmeng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-05 12:00 UTC by Renaud Métrich
Modified: 2023-08-17 09:57 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:
demeng: needinfo? (kkostiuk)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161569 0 None None None 2023-07-05 12:02:02 UTC
Red Hat Knowledge Base (Solution) 7023553 0 None None None 2023-07-06 19:06:06 UTC

Description Renaud Métrich 2023-07-05 12:00:34 UTC 
Description of problem:

When named-chroot.service is started, the service creates additional global mounts:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# mount | grep chroot
[...]
/dev/mapper/rhel-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Executing "virsh domfsinfo" then generates an AVC on qemu-ga agent with default policy (i.e. with "virt_qemu_ga_read_nonsecurity_files" not enabled) when qemu-ga queries the above mount, as seen in the strace below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
1016  [virt_qemu_ga_t] 13:28:04.673979 statfs("/var/named/chroot/var/named" [named_zone_t], 0x7ffc551cefd0) = -1 EACCES (Permission denied) <0.000042>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(07/05/2023 13:28:04.672:1448) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo
type=SYSCALL msg=audit(07/05/2023 13:28:04.672:1448) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x55fcf1a98230 a1=0x7ffc551cefd0 a2=0x7fc9d10dec20 a3=0x55fcf1a84bb0 items=0 ppid=1 pid=1016 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(07/05/2023 13:28:04.672:1448) : avc:  denied  { search } for  pid=1016 comm=qemu-ga name=named dev="dm-0" ino=108035 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actually more AVCs are seen just before this one, all related to querying mount point.

I think enabling boolean virt_qemu_ga_read_nonsecurity_files is overkill here.
I believe adding a dontaudit rule would be preferred, but it's up to you to decide.

Please discuss this with SELinux team on the best solution.

Version-Release number of selected component (if applicable):

qemu-guest-agent-6.2.0

How reproducible:

Always

Steps to Reproduce:
1. Install and start named-chroot service

  # yum -y install bind-chroot
  # systemctl start named-chroot

2. Query the domain from the host

  $ virsh domfsinfo <domain>

Actual results:

Proper result in host but multiple time the AVC above

Expected results:

No AVC
Comment 1 John Ferlan 2023-07-05 13:43:38 UTC 
NB: May need a RHEL-9 clone too.
Note You need to log in before you can comment on or make changes to this bug.