Bug 664087 - guestfish-related commands fail with permission denied
Summary: guestfish-related commands fail with permission denied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-18 01:08 UTC by John J. McDonough
Modified: 2011-02-02 19:26 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-80.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-02 19:26:53 UTC
Type: ---


Attachments (Terms of Use)

Description John J. McDonough 2010-12-18 01:08:41 UTC
Description of problem:
guestfish-related commands, guestfish or virt- (other than virt-manager) fail with permission denied.  Often (but not always) accompanied by an SELinux message about access to sock.


Version-Release number of selected component (if applicable):
1.6.2

How reproducible:
reproduceable

SELinux message:

type=AVC msg=audit(1292626972.134:149515): avc:  denied  { write } for  pid=6003 comm="qemu-kvm" name="sock" dev=sda2 ino=169564 scontext=unconfined_u:unconfined_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file

Examples:

[root@Cimbaoth images]# guestfish --ro -d XP02 -i
connect(unix:/tmp/libguestfsP6FaZR/sock): Permission denied
chardev: opening backend "socket" failed
libguestfs: error: child process died unexpectedly

[root@Cimbaoth images]# virt-df
Filesystem                           1K-blocks       Used  Available  Use%
connect(unix:/tmp/libguestfsWpoifI/sock): Permission denied
chardev: opening backend "socket" failed
child process died unexpectedly at /usr/bin/virt-df line 377.
	...caught at /usr/bin/virt-df line 411.

[root@Cimbaoth images]# virt-ls F13.img /
connect(unix:/tmp/libguestfsDf9UeI/sock): Permission denied
chardev: opening backend "socket" failed
child process died unexpectedly at /usr/bin/virt-ls line 190.

Comment 1 Richard W.M. Jones 2010-12-18 07:15:51 UTC
Seems to be SELinux-related, reassigning.

Comment 2 Miroslav Grepl 2010-12-20 11:59:03 UTC
What are your outputs

# getsebool -a | grep qemu_transition

# ls -Z `which guestfish`

Comment 3 Richard W.M. Jones 2010-12-20 12:19:55 UTC
[Not answering NEEDINFO, we still need this information from
the reporter]

These are from Fedora 14:

$ sudo getsebool -a | grep qemu_transition
allow_unconfined_qemu_transition --> off
$ ls -Z /usr/bin/guestfish 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/guestfish

Are these SELinux booleans documented or enumerated anywhere?

Comment 4 John J. McDonough 2010-12-20 13:12:42 UTC
From the offending (F13) system

[root@Cimbaoth ~]# getsebool -a | grep qemu_transition
allow_unconfined_qemu_transition --> on
[root@Cimbaoth ~]# ls -Z `which guestfish`
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/guestfish
[root@Cimbaoth ~]# 

I have poked at many of the virtualization-related booleans in an attempt to make this go away.  As expected, disabling SELinux does make the symptom disappear, but that is an approach I would prefer not to take.

Comment 5 Miroslav Grepl 2010-12-20 13:44:06 UTC
John, 
turn the transition off.

# setsebool -P allow_unconfined_qemu_transition 0

Comment 6 Daniel Walsh 2010-12-20 14:22:18 UTC
Miroslav add

userdom_stream_connect(qemu_t)

Since qemu_t is a confinement of userspace this should be allowed.

Comment 7 Miroslav Grepl 2010-12-20 14:26:10 UTC
Fixed in selinux-policy-3.7.19-77.fc13

Comment 8 John J. McDonough 2010-12-20 14:28:27 UTC
Very nice, thank you

Comment 9 Richard W.M. Jones 2010-12-20 14:49:35 UTC
Thanks for fixing this.

Any idea about where I can get a list of SELinux booleans
and what they do?

Comment 10 Fedora Update System 2010-12-20 18:37:44 UTC
selinux-policy-3.7.19-77.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13

Comment 11 Daniel Walsh 2010-12-20 21:31:48 UTC
# semanage boolean -l


Or system-config-selinux

Comment 12 Fedora Update System 2010-12-22 00:07:41 UTC
selinux-policy-3.7.19-77.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-77.fc13

Comment 13 Fedora Update System 2011-01-01 20:21:51 UTC
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-80.fc13

Comment 14 Fedora Update System 2011-02-02 19:26:27 UTC
selinux-policy-3.7.19-80.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.