QEMU provides a daemon called the guest agent (or qemu-ga). This daemon runs on the guest and executes commands on behalf of processes running on the host. The guest agent provides a set of commands to read and write arbitrary guest files. It runs with root privileges. We want to deny this ability to read/write guest files with SELinux in RHEL6.4 by default. Additionally, it's important to note the following: o It would be very nice to have a "qemu_guest_agent_read_any" boolean for the SELinux policy to allow arbitrary read by the daemon o qemu-ga reads and writes to a few specific files in other to function properly, these files are: - the device used to talk with the host processes (default: /dev/virtio-ports/org.qemu.guest_agent.0) - the log file (default: /var/log/qemu-ga.log) - the pid file (default: /var/run/qemu-ga.pid) In RHEL6.3, the qemu-ga package is qemu-guest-agent-0.12.1.2-2.295.el6.x86_64.rpm. We also have the following upstream wiki page (which is a bit out-dated, but mostly correct): http://wiki.qemu.org/Features/QAPI/GuestAgent
Thanks for your description. Also I would like to see some AVC msgs? So the daemon is started by a service script?
(In reply to comment #1) > Thanks for your description. Also I would like to see some AVC msgs? I'll post them shortly. > So the daemon is started by a service script? Yes, 'service qemu-ga start'.
> Yes, 'service qemu-ga start'. NB, with Fedora upstream, the qemu-ga daemon is actually started automatically whenever the correct virtio-serial socket is present in /dev, thanks to a magic udev rule.
So, the only AVC message that I can confirm is from qemu-ga is this one: type=AVC msg=audit(1340825668.149:159): avc: denied { write } for pid=2504 comm="ip" path="/var/run/qemu-ga.pid" dev=dm-0 ino=1025 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file And I believe these come from its child process: type=SYSTEM_RUNLEVEL msg=audit(1342543464.420:55): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='old-le vel=3 new-level=0 exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success' type=SYSTEM_SHUTDOWN msg=audit(1342543464.420:56): user pid=1615 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:initrc_t:s0 msg='init exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success' qemu-ga is not writing to its log file (it's writing only to syslog), this is a bug. That's probably why there are no AVC messages for the log file.
Is this also in Fedora? It looks we will need to add a policy virt_qemu_qa_t for this.
It's not (at least not in F17), but we should add it.
ifconfig writing to the pid file looks like a leaked file descriptor or a redirection of stdout/stderror. I see no reason why ifconfig should be writing to /var/run/qemu-ga-pid.
(In reply to comment #7) > ifconfig writing to the pid file looks like a leaked file descriptor or a > redirection of stdout/stderror. I see no reason why ifconfig should be > writing to /var/run/qemu-ga-pid. Oh, good catch. We indeed had a bug that leaked fds, but it should be fixed. I'll check it.
Created attachment 624001 [details] initial policy I need help with this one. Could you test the attached policy 1. Download it 2. # semodule -i virt_qemu_ga.pp 3. # restorecon -Rv /usr/bin/qemu-ga test it and add outputs of # ausearch -m avc -ts recent
What tests do you need? I followed your procedure and was able to read /etc/passwd, got this with ausearch: ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.884:63): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7fffe25488d0 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.884:63): avc: denied { lock } for pid=1259 comm="qemu-ga" path="/var/run/qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.884:62): arch=c000003e syscall=2 success=yes exit=3 a0=7f9452d5b147 a1=41 a2=180 a3=7f9452d3a9d0 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.884:62): avc: denied { write open } for pid=1259 comm="qemu-ga" name="qemu-ga.pid" dev=dm-0 ino=262535 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1349810574.884:62): avc: denied { create } for pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1349810574.884:62): avc: denied { add_name } for pid=1259 comm="qemu-ga" name="qemu-ga.pid" scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=AVC msg=audit(1349810574.884:62): avc: denied { write } for pid=1259 comm="qemu-ga" name="run" dev=dm-0 ino=259883 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.886:64): arch=c000003e syscall=2 success=yes exit=5 a0=7fffe254af3e a1=82802 a2=0 a3=28 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.886:64): avc: denied { open } for pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file type=AVC msg=audit(1349810574.886:64): avc: denied { read write } for pid=1259 comm="qemu-ga" name="vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file ---- time->Tue Oct 9 16:22:54 2012 type=SYSCALL msg=audit(1349810574.886:65): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fffe25487f0 a2=7fffe25487f0 a3=7fffe2548570 items=0 ppid=1 pid=1259 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=unconfined_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(1349810574.886:65): avc: denied { getattr } for pid=1259 comm="qemu-ga" path="/dev/vport0p1" dev=devtmpfs ino=9511 scontext=unconfined_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file
Great. This is what I wanted to see.
Fixed in selinux-policy-3.7.19-168.el6
But this policy really needs to be tested more.
Change status to ASSIGNED according to https://bugzilla.redhat.com/show_bug.cgi?id=875666#c7
Fixes added to selinux-policy-3.7.19-190.el6
*** Bug 888152 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.7.19-193.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html