Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1954

AVC created when named-chroot is enabled and "virsh domfsinfo" command is used

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • selinux-policy-3.14.3-133.el8
    • None
    • Low
    • rhel-sst-security-selinux
    • ssg_security
    • 21
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Release Note Not Required
    • None
    • 57,005

      Description of problem:

      When named-chroot.service is started, the service creates additional global mounts:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. mount | grep chroot
        [...]
        /dev/mapper/rhel-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Executing "virsh domfsinfo" then generates an AVC on qemu-ga agent with default policy (i.e. with "virt_qemu_ga_read_nonsecurity_files" not enabled) when qemu-ga queries the above mount, as seen in the strace below:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      1016 [virt_qemu_ga_t] 13:28:04.673979 statfs("/var/named/chroot/var/named" [named_zone_t], 0x7ffc551cefd0) = -1 EACCES (Permission denied) <0.000042>
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      AVC:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      type=PROCTITLE msg=audit(07/05/2023 13:28:04.672:1448) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --blacklist= -F/etc/qemu-ga/fsfreeze-hoo
      type=SYSCALL msg=audit(07/05/2023 13:28:04.672:1448) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x55fcf1a98230 a1=0x7ffc551cefd0 a2=0x7fc9d10dec20 a3=0x55fcf1a84bb0 items=0 ppid=1 pid=1016 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
      type=AVC msg=audit(07/05/2023 13:28:04.672:1448) : avc: denied

      { search }

      for pid=1016 comm=qemu-ga name=named dev="dm-0" ino=108035 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir permissive=0
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Actually more AVCs are seen just before this one, all related to querying mount point.

      I think enabling boolean virt_qemu_ga_read_nonsecurity_files is overkill here.
      I believe adding a dontaudit rule would be preferred, but it's up to you to decide.

      Please discuss this with SELinux team on the best solution.

      Version-Release number of selected component (if applicable):

      qemu-guest-agent-6.2.0

      How reproducible:

      Always

      Steps to Reproduce:
      1. Install and start named-chroot service

      1. yum -y install bind-chroot
      2. systemctl start named-chroot

      2. Query the domain from the host

      $ virsh domfsinfo <domain>

      Actual results:

      Proper result in host but multiple time the AVC above

      Expected results:

      No AVC

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Amith Kumar Peethambaran Amith Kumar Peethambaran
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: