Bug 839832 - qemu-ga: document selinux policy for read/write of guest files
qemu-ga: document selinux policy for read/write of guest files
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Amos Kong
Virtualization Bugs
:
Depends On: 839831
Blocks: 1034082
  Show dependency treegraph
 
Reported: 2012-07-12 20:55 EDT by Luiz Capitulino
Modified: 2015-05-24 20:06 EDT (History)
16 users (show)

See Also:
Fixed In Version: qemu-kvm-0.12.1.2-2.351.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1034082 (view as bug list)
Environment:
Last Closed: 2013-02-21 02:38:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Luiz Capitulino 2012-07-12 20:55:21 EDT
We're going to introduce a SELinux policy on RHEL6.4 to deny qemu-ga to read/write arbitrary guest files, this has to be documented in qemu-ga's future manpage and/or configuration files.
Comment 2 Amos Kong 2012-10-17 21:16:34 EDT
Talked with Luiz, assign this to me.
Comment 5 Amos Kong 2012-11-30 01:58:45 EST
In https://bugzilla.redhat.com/show_bug.cgi?id=839831#c0

Luiz requested to add a "qemu_guest_agent_read_any" boolean for the SELinux policy to allow arbitrary read by the daemon. But I did you find this in latest selinux-policy, so I will not mention it in the doc.
Comment 10 Qunfang Zhang 2013-01-17 22:49:57 EST
This bug can be verified pass now. In the qemu-guest-agent-0.12.1.2-2.351 there's selinux policy note in the /etc/sysconfig/qemu-ga document while in the older version of qemu-guest-agent there's not.

In qemu-guest-agent-0.12.1.2-2.350.el6:

# cat  /etc/sysconfig/qemu-ga
# Transport method may be one of following:
#   * unix-listen
#   * virtio-serial
#   * isa-serial
# Default: virtio-serial
TRANSPORT_METHOD="virtio-serial"

# You also can override the device/socket path
# Default: /dev/virtio-ports/org.qemu.guest_agent.0
DEVPATH="/dev/virtio-ports/org.qemu.guest_agent.0"

# If logfile is unset it defaults to stderr but the daemon
# function of init script redirects stderr to /dev/null
LOGFILE="/var/log/qemu-ga.log"

# Override pidfile name
# Default: /var/run/qemu-ga.pid
PIDFILE="/var/run/qemu-ga.pid"

# Comma-separated blacklist of RPCs to disable or empty list to enable all
# Tip: You can get the list of RPC commands using `qemu-ga --blacklist ?`
# Default: blank list to enable all RPCs
# Note: There should be no spaces between commas and commands in the blacklist
BLACKLIST_RPC="guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush"


=======================
In fixed version qemu-guest-agent-0.12.1.2-2.351.el6:
# cat /etc/sysconfig/qemu-ga 
# Transport method may be one of following:
#   * unix-listen
#   * virtio-serial
#   * isa-serial
# Default: virtio-serial
TRANSPORT_METHOD="virtio-serial"
#TRANSPORT_METHOD="isa-serial"

# You also can override the device/socket path
# Default: /dev/virtio-ports/org.qemu.guest_agent.0
DEVPATH="/dev/virtio-ports/org.qemu.guest_agent.0"
#DEVPATH="/dev/ttyS1"

# If logfile is unset it defaults to stderr but the daemon
# function of init script redirects stderr to /dev/null
LOGFILE="/var/log/qemu-ga.log"

# Override pidfile name
# Default: /var/run/qemu-ga.pid
PIDFILE="/var/run/qemu-ga.pid"

# SELinux note:
#  About guest arbitrary file read/write
#
# A new selinux policy is introduced on RHEL-6.4 to deny qemu-ga to
# read/write arbitrary guest files except the device file used to talk
# with host processes, LOGFILE and PIDFILE.
#
# You can disable this policy by "restorecon -R -v /usr/bin/qemu-ga"

# Comma-separated blacklist of RPCs to disable or empty list to enable all
# Tip: You can get the list of RPC commands using `qemu-ga --blacklist ?`
# Default: blank list to enable all RPCs
# Note: There should be no spaces between commas and commands in the blacklist
BLACKLIST_RPC="guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush"
Comment 15 errata-xmlrpc 2013-02-21 02:38:03 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0527.html
Comment 16 Dax Kelson 2013-03-20 18:14:56 EDT
I don't understand how running a verbose, recursive restorecon on the qemu-ga binary will modify any policy?!?!
Comment 17 Amos Kong 2013-03-20 21:48:14 EDT
(In reply to comment #16)
> I don't understand how running a verbose, recursive restorecon on the
> qemu-ga binary will modify any policy?!?!

Please open a new bug and describe your problem detail, thanks.

Note You need to log in before you can comment on or make changes to this bug.