Bug 839831 - deny qemu guest agent read/write operations by default
deny qemu guest agent read/write operations by default
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
x86_64 Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 831387 839832 875666 1034082
  Show dependency treegraph
 
Reported: 2012-07-12 20:50 EDT by Luiz Capitulino
Modified: 2013-11-25 03:54 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-193.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 875666 (view as bug list)
Environment:
Last Closed: 2013-02-21 03:25:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
initial policy (92.87 KB, application/octet-stream)
2012-10-09 05:07 EDT, Miroslav Grepl
no flags Details

  None (edit)
Description Luiz Capitulino 2012-07-12 20:50:13 EDT
QEMU provides a daemon called the guest agent (or qemu-ga). This daemon runs on the guest and executes commands on behalf of processes running on the host.

The guest agent provides a set of commands to read and write arbitrary guest files. It runs with root privileges.

We want to deny this ability to read/write guest files with SELinux in RHEL6.4 by default.

Additionally, it's important to note the following:

o It would be very nice to have a "qemu_guest_agent_read_any" boolean for the SELinux policy to allow arbitrary read by the daemon

o qemu-ga reads and writes to a few specific files in other to function properly, these files are:
  - the device used to talk with the host processes (default: /dev/virtio-ports/org.qemu.guest_agent.0)
  - the log file (default: /var/log/qemu-ga.log)
  - the pid file (default: /var/run/qemu-ga.pid)

In RHEL6.3, the qemu-ga package is qemu-guest-agent-0.12.1.2-2.295.el6.x86_64.rpm. We also have the following upstream wiki page (which is a bit out-dated, but mostly correct):

 http://wiki.qemu.org/Features/QAPI/GuestAgent
Comment 1 Miroslav Grepl 2012-07-13 02:45:53 EDT
Thanks for your description. Also I would like to see some AVC msgs?

So the daemon is started by a service script?
Comment 2 Luiz Capitulino 2012-07-16 09:26:12 EDT
(In reply to comment #1)
> Thanks for your description. Also I would like to see some AVC msgs?

I'll post them shortly.

> So the daemon is started by a service script?

Yes, 'service qemu-ga start'.
Comment 3 Daniel Berrange 2012-07-16 09:29:37 EDT
> Yes, 'service qemu-ga start'.

NB, with Fedora upstream, the qemu-ga daemon is actually started automatically whenever the correct virtio-serial socket is present in /dev, thanks to a magic udev rule.
Comment 4 Luiz Capitulino 2012-07-17 13:26:51 EDT
So, the only AVC message that I can confirm is from qemu-ga is this one:

type=AVC msg=audit(1340825668.149:159): avc:  denied  { write } for  pid=2504 comm="ip" path="/var/run/qemu-ga.pid" dev=dm-0 ino=1025 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file

And I believe these come from its child process:

type=SYSTEM_RUNLEVEL msg=audit(1342543464.420:55): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='old-le
vel=3 new-level=0 exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success'
type=SYSTEM_SHUTDOWN msg=audit(1342543464.420:56): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='init exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success'

qemu-ga is not writing to its log file (it's writing only to syslog), this is a bug. That's probably why there are no AVC messages for the log file.
Comment 5 Miroslav Grepl 2012-07-18 05:25:27 EDT
Is this also in Fedora? It looks we will need to add a policy

virt_qemu_qa_t for this.
Comment 6 Luiz Capitulino 2012-07-18 09:07:05 EDT
It's not (at least not in F17), but we should add it.
Comment 7 Daniel Walsh 2012-07-19 10:31:41 EDT
ifconfig writing to the pid file looks like a leaked file descriptor or a redirection of stdout/stderror.  I see no reason why ifconfig should be writing to /var/run/qemu-ga-pid.
Comment 9 Luiz Capitulino 2012-07-23 10:22:46 EDT
(In reply to comment #7)
> ifconfig writing to the pid file looks like a leaked file descriptor or a
> redirection of stdout/stderror.  I see no reason why ifconfig should be
> writing to /var/run/qemu-ga-pid.

Oh, good catch. We indeed had a bug that leaked fds, but it should be fixed. I'll check it.
Comment 12 Miroslav Grepl 2012-10-09 05:07:42 EDT
Created attachment 624001 [details]
initial policy

I need help with this one.

Could you test the attached policy

1. Download it
2. # semodule -i virt_qemu_ga.pp
3. # restorecon -Rv /usr/bin/qemu-ga

test it and add outputs of

# ausearch -m avc -ts recent
Comment 13 Luiz Capitulino 2012-10-09 15:31:56 EDT
What tests do you need? I followed your procedure and was able to read /etc/passwd, got this with ausearch:

----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.884:63): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7fffe25488d0 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.884:63): avc:  denied  { lock } for  pid=1259 comm="qemu-ga" path="/var/run/qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.884:62): arch=c000003e syscall=2 success=yes exit=3 a0=7f9452d5b147 a1=41 a2=180 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.884:62): avc:  denied  { write open } for  pid=1259 comm="qemu-ga" name="qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1349810574.884:62): avc:  denied  { create } for  pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1349810574.884:62): avc:  denied  { add_name } for  pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1349810574.884:62): avc:  denied  { write } for  pid=1259 comm="qemu-ga" name="run" dev=dm-0 ino=259883 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.886:64): arch=c000003e syscall=2 success=yes exit=5 a0=7fffe254af3e a1=82802 a2=0 a3=28 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.886:64): avc:  denied  { open } for  pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
type=AVC msg=audit(1349810574.886:64): avc:  denied  { read write } for  pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
----
time->Tue Oct  9 16:22:54 2012
type=SYSCALL msg=audit(1349810574.886:65): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fffe25487f0 a2=7fffe25487f0 a3=7fffe2548570 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1349810574.886:65): avc:  denied  { getattr } for  pid=1259 comm="qemu-ga" path="/dev/vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
Comment 14 Miroslav Grepl 2012-10-10 04:14:38 EDT
Great. This is what I wanted to see.
Comment 15 Miroslav Grepl 2012-10-10 04:45:03 EDT
Fixed in selinux-policy-3.7.19-168.el6
Comment 16 Miroslav Grepl 2012-10-10 07:51:49 EDT
But this policy really needs to be tested more.
Comment 24 Amos Kong 2012-11-27 10:57:13 EST
Change status to ASSIGNED according to https://bugzilla.redhat.com/show_bug.cgi?id=875666#c7
Comment 25 Miroslav Grepl 2013-01-03 10:28:46 EST
Fixes added to selinux-policy-3.7.19-190.el6
Comment 27 Miroslav Grepl 2013-01-16 06:30:36 EST
*** Bug 888152 has been marked as a duplicate of this bug. ***
Comment 28 Miroslav Grepl 2013-01-16 08:30:50 EST
Fixed in selinux-policy-3.7.19-193.el6
Comment 31 errata-xmlrpc 2013-02-21 03:25:27 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.