Bug 959639 - SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW.
Summary: SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-04 13:56 UTC by Dean Hunter
Modified: 2013-05-30 03:33 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.12.1-47.fc19
Clone Of:
Environment:
Last Closed: 2013-05-30 03:33:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dean Hunter 2013-05-04 13:56:04 UTC 
Description of problem:

The QEMU guest agent fails to start on Fedora 19 Alpha due to SELinux alerts.


Version-Release number of selected component (if applicable):

Installed Packages
selinux-policy.noarch                       3.12.1-34.fc19               @fedora
selinux-policy-devel.noarch                 3.12.1-34.fc19               @fedora
selinux-policy-doc.noarch                   3.12.1-34.fc19               @fedora
selinux-policy-targeted.noarch              3.12.1-34.fc19               @fedora


How reproducible: Consistent


Steps to Reproduce:
1. Create new VM from Fedora 19 Alpha DVD
2. yum update --assumeyes
3. reboot
  
Actual results:

[root@fedora19 ~]# grep qemu-ga /var/log/messages
May  4 08:15:38 fedora19 qemu-ga[381]: 1367673335.419540: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.MRZHWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[381]: 1367673335.419605: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[381]: 1367673335.419609: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[443]: 1367673335.866733: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.4UROWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[443]: 1367673335.866815: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[443]: 1367673335.866819: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[447]: 1367673335.881133: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.WK3OWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[447]: 1367673335.881174: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[447]: 1367673335.881177: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[455]: 1367673335.940321: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.FW5SWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[455]: 1367673335.940362: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[455]: 1367673335.940365: critical: failed to load persistent state
May  4 08:15:38 fedora19 qemu-ga[457]: 1367673335.950846: critical: failed to write persistent state to /var/run/qga.state: Failed to create file '/var/run/qga.state.YEETWW': Permission denied
May  4 08:15:38 fedora19 qemu-ga[457]: 1367673335.950894: critical: unable to create state file at path /var/run/qga.state
May  4 08:15:38 fedora19 qemu-ga[457]: 1367673335.950897: critical: failed to load persistent state
May  4 08:15:44 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.MRZHWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.4UROWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.WK3OWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.FW5SWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7
May  4 08:15:45 fedora19 setroubleshoot: SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW. For complete SELinux messages. run sealert -l a028023e-4970-419f-ac33-c04e997b26f7

[root@fedora19 ~]# sealert -l a028023e-4970-419f-ac33-c04e997b26f7
SELinux is preventing qemu-ga from create access on the file qga.state.YEETWW.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qemu-ga should be allowed create access on the qga.state.YEETWW file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-ga /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                qga.state.YEETWW [ file ]
Source                        qemu-ga
Source Path                   qemu-ga
Port                          <Unknown>
Host                          fedora19.hunter.org
Source RPM Packages           qemu-guest-agent-1.4.1-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-34.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora19.hunter.org
Platform                      Linux fedora19.hunter.org 3.9.0-301.fc19.x86_64 #1
                              SMP Mon Apr 29 13:44:05 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-05-04 08:15:35 CDT
Last Seen                     2013-05-04 08:15:35 CDT
Local ID                      a028023e-4970-419f-ac33-c04e997b26f7

Raw Audit Messages
type=AVC msg=audit(1367673335.949:40): avc:  denied  { create } for  pid=457 comm="qemu-ga" name="qga.state.YEETWW" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1367673335.949:40): arch=x86_64 syscall=open success=no exit=EACCES a0=7f57851d27b0 a1=c2 a2=1b6 a3=7fff7ff34920 items=0 ppid=1 pid=457 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)

Hash: qemu-ga,virt_qemu_ga_t,var_run_t,file,create

audit2allow

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t var_run_t:file create;

audit2allow -R
require {
	type var_run_t;
	type virt_qemu_ga_t;
	class file create;
}

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t var_run_t:file create;


[root@fedora19 ~]# 


Expected results:

no errors


Additional info:
Comment 1 Miroslav Grepl 2013-05-06 07:32:16 UTC 
There was a bug in file transition rules.

commit 2fcfe26b060dab4f006bdfb67ee3771e3c315a51
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 6 09:31:22 2013 +0200

    Allow qemu-ga to create files in /run with proper labeling
Comment 2 Dean Hunter 2013-05-13 07:32:26 UTC 
A problem persists in Fedora 19 Beta TC4:

[root@fedora19 ~]# ausearch --message AVC --start today
----
time->Mon May 13 02:19:27 2013
type=SYSCALL msg=audit(1368429567.622:20): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7f9c66c754f0 a2=380 a3=0 items=0 ppid=1 pid=497 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368429567.622:20): avc:  denied  { read } for  pid=497 comm="polkitd" name="machine" dev="cgroup" ino=1327 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----
time->Mon May 13 02:20:40 2013
type=SYSCALL msg=audit(1368429640.032:37): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7faa6648b5d0 a2=380 a3=7faa6648c450 items=0 ppid=1 pid=489 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368429640.032:37): avc:  denied  { read } for  pid=489 comm="polkitd" name="machine" dev="cgroup" ino=1329 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----
time->Mon May 13 02:22:09 2013
type=SYSCALL msg=audit(1368429729.201:427): arch=c000003e syscall=59 success=no exit=-13 a0=7f603213bb9f a1=7fff592bf840 a2=7fff592c3098 a3=7f60320f5a10 items=0 ppid=387 pid=1240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368429729.201:427): avc:  denied  { execute } for  pid=1240 comm="qemu-ga" name="systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

[root@fedora19 ~]#
Comment 3 Miroslav Grepl 2013-05-13 08:25:10 UTC 
These are different. policykit_t issue has been fixed.
Comment 4 Miroslav Grepl 2013-05-13 08:26:54 UTC 
Could you please run

# semanage permissive -a virt_qemu_ga_t

re-test it and

# ausearch -m avc -ts recent
Comment 5 Daniel Walsh 2013-05-13 12:57:07 UTC 
polkitd_t avc's are allowed in selinux-policy-3.12.1-43.fc19

Any idea what qemu-ga is doing executing systemctl?
Comment 6 Dean Hunter 2013-05-13 14:27:36 UTC 
[root@fedora19 ~]# yum list installed selinux-policy*
Loaded plugins: langpacks, refresh-packagekit
Installed Packages
selinux-policy.noarch                      3.12.1-42.fc19              @anaconda
selinux-policy-devel.noarch                3.12.1-42.fc19              @anaconda
selinux-policy-doc.noarch                  3.12.1-42.fc19              @anaconda
selinux-policy-targeted.noarch             3.12.1-42.fc19              @anaconda

[root@fedora19 ~]# ausearch --message AVC --start recent
----
time->Mon May 13 09:22:07 2013
type=SYSCALL msg=audit(1368454927.964:35): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7fd8b0e32200 a2=380 a3=0 items=0 ppid=1 pid=493 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368454927.964:35): avc:  denied  { read } for  pid=493 comm="polkitd" name="machine" dev="cgroup" ino=1345 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----
time->Mon May 13 09:22:36 2013
type=SYSCALL msg=audit(1368454956.503:423): arch=c000003e syscall=4 success=yes exit=0 a0=7faa06a8c8e8 a1=7fffc9ee63c0 a2=7fffc9ee63c0 a3=0 items=0 ppid=387 pid=1230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="shutdown" exe="/usr/bin/systemctl" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368454956.503:423): avc:  denied  { read } for  pid=1230 comm="shutdown" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1368454956.503:423): avc:  denied  { read } for  pid=1230 comm="shutdown" name="root" dev="proc" ino=1156 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file
----
time->Mon May 13 09:22:36 2013
type=SYSCALL msg=audit(1368454956.497:422): arch=c000003e syscall=59 success=yes exit=0 a0=7f08e00f6b9f a1=7fffbab0d160 a2=7fffbab109b8 a3=7f08e00b0a10 items=0 ppid=387 pid=1230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="shutdown" exe="/usr/bin/systemctl" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368454956.497:422): avc:  denied  { execute_no_trans } for  pid=1230 comm="qemu-ga" path="/usr/bin/systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=AVC msg=audit(1368454956.497:422): avc:  denied  { read open } for  pid=1230 comm="qemu-ga" path="/usr/bin/systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=AVC msg=audit(1368454956.497:422): avc:  denied  { execute } for  pid=1230 comm="qemu-ga" name="systemctl" dev="dm-1" ino=663719 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----
time->Mon May 13 09:22:36 2013
type=SYSCALL msg=audit(1368454956.504:424): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fffc9ee61b0 a2=16 a3=7fffc9ee5f60 items=0 ppid=387 pid=1230 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="shutdown" exe="/usr/bin/systemctl" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368454956.504:424): avc:  denied  { connectto } for  pid=1230 comm="shutdown" path="/run/systemd/private" scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
----
time->Mon May 13 09:23:07 2013
type=SYSCALL msg=audit(1368454987.502:19): arch=c000003e syscall=254 success=no exit=-13 a0=8 a1=7f2d155024f0 a2=380 a3=0 items=0 ppid=1 pid=499 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 ses=4294967295 tty=(none) comm="polkitd" exe="/usr/lib/polkit-1/polkitd" subj=system_u:system_r:policykit_t:s0 key=(null)
type=AVC msg=audit(1368454987.502:19): avc:  denied  { read } for  pid=499 comm="polkitd" name="machine" dev="cgroup" ino=6660 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

[root@fedora19 ~]#
Comment 7 Dean Hunter 2013-05-14 16:56:51 UTC 
qemu-guest-agent still has problems with Fedora 19 Beta TC4:

[root@ipa ~]# yum list installed selinux-policy*
Loaded plugins: langpacks, refresh-packagekit
Installed Packages
selinux-policy.noarch                   3.12.1-44.fc19          @updates-testing
selinux-policy-devel.noarch             3.12.1-44.fc19          @updates-testing
selinux-policy-doc.noarch               3.12.1-44.fc19          @updates-testing
selinux-policy-targeted.noarch          3.12.1-44.fc19          @updates-testing

[root@ipa ~]# ausearch --message avc --start today
----
time->Tue May 14 11:34:32 2013
type=AVC msg=audit(1368549272.764:5): avc:  denied  { getattr } for  pid=387 comm="qemu-ga" name="/" dev="tmpfs" ino=1147 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Tue May 14 11:51:18 2013
type=SYSCALL msg=audit(1368550278.154:449): arch=c000003e syscall=59 success=no exit=-13 a0=7ff0c1baeb9f a1=7fffc2019e60 a2=7fffc201d6b8 a3=7ff0c1b68a10 items=0 ppid=387 pid=1638 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="qemu-ga" exe="/usr/bin/qemu-ga" subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(1368550278.154:449): avc:  denied  { execute } for  pid=1638 comm="qemu-ga" name="systemctl" dev="dm-1" ino=140673 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file

[root@ipa ~]# 

The first alert is from about the time the virtual machine was built and restarted. The second alert is from when I tried to shut down the virtual machine.
Comment 8 Miroslav Grepl 2013-05-15 10:46:56 UTC 
Ok, going to add fixes.
Comment 9 Dean Hunter 2013-05-23 14:18:20 UTC 
Have you identified a version of selinix-policy when this will be fixed?
Comment 10 Dean Hunter 2013-05-23 15:40:12 UTC 
The problem persists in Fedora 19 Beta RC3.
Comment 11 Miroslav Grepl 2013-05-24 06:06:32 UTC 
Has been fixed in -45.fc19.

http://koji.fedoraproject.org/koji/buildinfo?buildID=419810
Comment 12 Fedora Update System 2013-05-29 14:19:00 UTC 
selinux-policy-3.12.1-47.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-47.fc19
Comment 13 Fedora Update System 2013-05-29 17:45:49 UTC 
Package selinux-policy-3.12.1-47.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-47.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-9565/selinux-policy-3.12.1-47.fc19
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-05-30 03:33:02 UTC 
selinux-policy-3.12.1-47.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.