Bug 860235 - SELinux policy ought to allow qemu to write to unconfined_u:object_r:user_tmp_t:s0
Summary: SELinux policy ought to allow qemu to write to unconfined_u:object_r:user_tmp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-25 11:10 UTC by Richard W.M. Jones
Modified: 2012-12-20 15:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 15:04:01 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Richard W.M. Jones 2012-09-25 11:10:28 UTC
Description of problem:

If you create a temporary directory under /tmp, eg. /tmp/foo,
then set TMPDIR=/tmp/foo, qemu-kvm cannot start up.  This is
because /tmp/foo will have this label:

unconfined_u:object_r:user_tmp_t:s0

and the current policy denies writes to this.  (See AVCs at
the end).  qemu wants to create and access temporary files
in $TMPDIR but cannot do so.

This doesn't seem to make much sense -- qemu really ought to
be able to write to user temporary directories.

In addition the libguestfs test suite relies on setting $TMPDIR
so that we can run the test suite in parallel without two
runs disturbing each other.  This bug prevents us from running
the test suite with SELinux enforcing (it is actually the very
last bug that stops us from doing so).

Version-Release number of selected component (if applicable):

selinux-policy-3.11.1-7.fc18.noarch
qemu-1.2.0-3.fc18.x86_64

How reproducible:

100%

Steps to Reproduce:
1. Run the test case in bug 859596.
or:
1. Start up qemu as non-root with $TMPDIR set to a subdirectory of /tmp

Additional info:

AVCs from a couple of runs of qemu-kvm with SELinux set
to Permissive:

type=MAC_STATUS msg=audit(1348570108.116:17255): enforcing=0 old_enforcing=1 auid=1000 ses=355
type=SYSCALL msg=audit(1348570108.116:17255): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff3699d000 a2=1 a3=7fff3699cd68 items=0 ppid=19997 pid=19998 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=355 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_END msg=audit(1348570108.121:17256): pid=19997 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1348570139.187:17257): avc:  denied  { write } for  pid=21024 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-nss9ny3ms2xirsqj.log" dev="dm-5" ino=1851174 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file
type=SYSCALL msg=audit(1348570139.187:17257): arch=c000003e syscall=59 success=yes exit=0 a0=7f03040c36f0 a1=7f03040c3d70 a2=7f03040c4f50 a3=7f03248d8980 items=0 ppid=1 pid=21024 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 key=(null)
type=AVC msg=audit(1348570139.254:17258): avc:  denied  { write } for  pid=21024 comm="qemu-kvm" name="EcIMm_ulWi" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570139.254:17258): avc:  denied  { add_name } for  pid=21024 comm="qemu-kvm" name="vl.FPUq37" scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570139.254:17258): avc:  denied  { create } for  pid=21024 comm="qemu-kvm" name="vl.FPUq37" scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1348570139.254:17258): avc:  denied  { read write open } for  pid=21024 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/EcIMm_ulWi/vl.FPUq37" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570139.254:17258): arch=c000003e syscall=2 success=yes exit=14 a0=7fff2df663a0 a1=c2 a2=180 a3=3b9f5f5f0a05 items=0 ppid=1 pid=21024 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 key=(null)
type=AVC msg=audit(1348570139.266:17259): avc:  denied  { remove_name } for  pid=21024 comm="qemu-kvm" name="vl.FPUq37" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570139.266:17259): avc:  denied  { unlink } for  pid=21024 comm="qemu-kvm" name="vl.FPUq37" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570139.266:17259): arch=c000003e syscall=87 success=yes exit=0 a0=7fff2df663a0 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=21024 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c287,c915 key=(null)
type=AVC msg=audit(1348570140.452:17260): avc:  denied  { write } for  pid=21040 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-q63bcuxolnjzvcuc.log" dev="dm-5" ino=1851175 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file
type=SYSCALL msg=audit(1348570140.452:17260): arch=c000003e syscall=59 success=yes exit=0 a0=7f02f4001a90 a1=7f02f4002110 a2=7f02f4006f70 a3=7f03240d7980 items=0 ppid=1 pid=21040 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 key=(null)
type=AVC msg=audit(1348570140.510:17261): avc:  denied  { write } for  pid=21040 comm="qemu-kvm" name="EcIMm_ulWi" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570140.510:17261): avc:  denied  { add_name } for  pid=21040 comm="qemu-kvm" name="vl.reDL2u" scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570140.510:17261): avc:  denied  { create } for  pid=21040 comm="qemu-kvm" name="vl.reDL2u" scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1348570140.510:17261): avc:  denied  { read write open } for  pid=21040 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/EcIMm_ulWi/vl.reDL2u" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570140.510:17261): arch=c000003e syscall=2 success=yes exit=14 a0=7fff90f2a180 a1=c2 a2=180 a3=3b9f739e678e items=0 ppid=1 pid=21040 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 key=(null)
type=AVC msg=audit(1348570140.532:17262): avc:  denied  { remove_name } for  pid=21040 comm="qemu-kvm" name="vl.reDL2u" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570140.532:17262): avc:  denied  { unlink } for  pid=21040 comm="qemu-kvm" name="vl.reDL2u" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570140.532:17262): arch=c000003e syscall=87 success=yes exit=0 a0=7fff90f2a180 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=21040 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c414,c415 key=(null)
type=AVC msg=audit(1348570199.403:17263): avc:  denied  { write } for  pid=22117 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-lcanus5i9qgd014i.log" dev="dm-5" ino=1851176 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file
type=SYSCALL msg=audit(1348570199.403:17263): arch=c000003e syscall=59 success=yes exit=0 a0=7f94d80c9590 a1=7f94d80c9c10 a2=7f94d80c8c90 a3=7f94f7a10980 items=0 ppid=1 pid=22117 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 key=(null)
type=AVC msg=audit(1348570199.465:17264): avc:  denied  { write } for  pid=22117 comm="qemu-kvm" name="GUWMN9pzZM" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570199.465:17264): avc:  denied  { add_name } for  pid=22117 comm="qemu-kvm" name="vl.4NpQ50" scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570199.465:17264): avc:  denied  { create } for  pid=22117 comm="qemu-kvm" name="vl.4NpQ50" scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1348570199.465:17264): avc:  denied  { read write open } for  pid=22117 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/GUWMN9pzZM/vl.4NpQ50" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570199.465:17264): arch=c000003e syscall=2 success=yes exit=14 a0=7fffa77e37d0 a1=c2 a2=180 a3=3ba033a9d5e9 items=0 ppid=1 pid=22117 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 key=(null)
type=AVC msg=audit(1348570199.477:17265): avc:  denied  { remove_name } for  pid=22117 comm="qemu-kvm" name="vl.4NpQ50" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570199.477:17265): avc:  denied  { unlink } for  pid=22117 comm="qemu-kvm" name="vl.4NpQ50" dev="dm-5" ino=940360 scontext=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570199.477:17265): arch=c000003e syscall=87 success=yes exit=0 a0=7fffa77e37d0 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=22117 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c83,c361 key=(null)
type=AVC msg=audit(1348570200.638:17266): avc:  denied  { write } for  pid=22133 comm="qemu-kvm" path="/home/rjones/.cache/libvirt/qemu/log/guestfs-5ltmwrucxh0gdl0u.log" dev="dm-5" ino=1851177 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=file
type=SYSCALL msg=audit(1348570200.638:17266): arch=c000003e syscall=59 success=yes exit=0 a0=7f94d4001da0 a1=7f94d4002420 a2=7f94d4006e40 a3=7f94f720f980 items=0 ppid=1 pid=22133 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 key=(null)
type=AVC msg=audit(1348570200.698:17267): avc:  denied  { write } for  pid=22133 comm="qemu-kvm" name="GUWMN9pzZM" dev="dm-5" ino=940283 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570200.698:17267): avc:  denied  { add_name } for  pid=22133 comm="qemu-kvm" name="vl.GQBaWm" scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570200.698:17267): avc:  denied  { create } for  pid=22133 comm="qemu-kvm" name="vl.GQBaWm" scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1348570200.698:17267): avc:  denied  { read write open } for  pid=22133 comm="qemu-kvm" path="/home/rjones/d/libguestfs/tmp/GUWMN9pzZM/vl.GQBaWm" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570200.698:17267): arch=c000003e syscall=2 success=yes exit=14 a0=7fff602add30 a1=c2 a2=180 a3=3ba046e6f8d4 items=0 ppid=1 pid=22133 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 key=(null)
type=AVC msg=audit(1348570200.710:17268): avc:  denied  { remove_name } for  pid=22133 comm="qemu-kvm" name="vl.GQBaWm" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
type=AVC msg=audit(1348570200.710:17268): avc:  denied  { unlink } for  pid=22133 comm="qemu-kvm" name="vl.GQBaWm" dev="dm-5" ino=940363 scontext=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1348570200.710:17268): arch=c000003e syscall=87 success=yes exit=0 a0=7fff602add30 a1=0 a2=800000 a3=0 items=0 ppid=1 pid=22133 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=355 comm="qemu-kvm" exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c843,c943 key=(null)
type=USER_CMD msg=audit(1348570275.428:17269): pid=22180 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd="getenforce" terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1348570275.431:17270): pid=22181 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1348570275.439:17271): pid=22181 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_END msg=audit(1348570275.450:17272): pid=22180 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1348570281.828:17273): pid=22182 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/rjones/d/libguestfs" cmd=736574656E666F72636520456E666F7263696E67 terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1348570281.832:17274): pid=22183 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1348570281.836:17275): pid=22183 uid=0 auid=1000 ses=355 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

Comment 1 Daniel Walsh 2012-09-25 19:03:32 UTC
Fixed in selinux-policy-3.11.1-25.fc18.noarch

You also have a mislabeled directory in your homedir.

restorecon -R -v ~/.cache

Comment 2 Fedora Update System 2012-09-26 04:51:44 UTC
selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18

Comment 3 Fedora Update System 2012-09-26 21:19:04 UTC
Package selinux-policy-3.11.1-25.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-25.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14807/selinux-policy-3.11.1-25.fc18
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-12-20 15:04:03 UTC
selinux-policy-3.11.1-25.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.