-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.3.0
-
selinux-policy-38.1.38-1.el9
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
15
-
None
-
False
-
-
Yes
-
None
-
Enhancement
-
-
Done
-
-
All
-
None
Originally the new boolean `virt_qemu_ga_run_unconfined` was introduced in in RHEL 8.9 as part of the BZ https://bugzilla.redhat.com/show_bug.cgi?id=2093355
This was done to help `qemu-guest-agent` run the command on the host which were otherwise denied by SELinux since `qemu-guest-agent` used to run in a confined context `virt_qemu_ga_t`.
It was meant to transition it to to `virt_qemu_ga_unconfined_t` which is unconfined.
type_transition virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:process virt_qemu_ga_unconfined_t; [ virt_qemu_ga_run_unconfined ]:True
One of our customer on case 03777731 says, that this particular boolean `virt_qemu_ga_run_unconfined` was supposed to be also introduced in RHEL 9.3 (because it is mentioned in our RHEL 9.3 release notes so they expect this change is also present in RHEL 9.3) but its not visible in RHEL 9.3 even with the latest RHEL 9.3 SELinux rpms
We see that our RHEL 9.3 release notes that its references this bug - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/9.3_release_notes/index#new-features-security
New SELinux boolean to allow QEMU Guest Agent executing confined commands Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the unconfined_t domain. Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined that allows guest-agent to make the transition to the unconfined domain. In addition, the necessary rules for transitions for the qemu-ga daemon have been added to the SELinux policy boolean. As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined boolean. Bugzilla:2093355
I tested this with latest RHEL 9.3 selinux rpms and we do not see this.
# rpm -qa | grep selinux-policy selinux-policy-38.1.23-1.el9_3.2.noarch selinux-policy-targeted-38.1.23-1.el9_3.2.noarch selinux-policy-devel-38.1.23-1.el9_3.2.noarch # getsebool -a | grep virt_qemu_ga_run_unconfined >> (No output)
We have also checked and found that these rules in RHEL 8.9 which were allowed by the boolean are allowed by the boolean seems to be by default be allowed on RHEL 9.3 without the boolean.
Rules in RHEL 8.9
# sesearch -TA -b virt_qemu_ga_run_unconfined
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_qemu_ga_run_unconfined ]:False
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_qemu_ga_run_unconfined ]:True
allow virt_qemu_ga_t virt_qemu_ga_unconfined_t:process transition; [ virt_qemu_ga_run_unconfined ]:True
allow virt_qemu_ga_unconfined_t virt_qemu_ga_t:fd use; [ virt_qemu_ga_run_unconfined ]:True
allow virt_qemu_ga_unconfined_t virt_qemu_ga_t:fifo_file { append getattr ioctl lock read write }; [ virt_qemu_ga_run_unconfined ]:True
allow virt_qemu_ga_unconfined_t virt_qemu_ga_t:process sigchld; [ virt_qemu_ga_run_unconfined ]:True
type_transition virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:process virt_qemu_ga_unconfined_t; [ virt_qemu_ga_run_unconfined ]:True
Rules in RHEL 9.3
# sesearch --allow -s virt_qemu_ga_t -t virt_qemu_ga_unconfined_exec_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow virt_qemu_ga_t file_type:filesystem getattr;
allow virt_qemu_ga_t non_security_file_type:dir { getattr ioctl lock open read search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
allow virt_qemu_ga_t non_security_file_type:dir { getattr open search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
allow virt_qemu_ga_t non_security_file_type:dir { getattr open search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
allow virt_qemu_ga_t non_security_file_type:dir { getattr open search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
allow virt_qemu_ga_t non_security_file_type:file { getattr ioctl lock open read }; [ virt_qemu_ga_read_nonsecurity_files ]:True
allow virt_qemu_ga_t non_security_file_type:lnk_file { getattr read }; [ virt_qemu_ga_read_nonsecurity_files ]:True
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir { getattr ioctl lock open read search };
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read };
# sesearch --allow -s virt_qemu_ga_t -t virt_qemu_ga_unconfined_t -c process
allow virt_qemu_ga_t virt_qemu_ga_unconfined_t:process transition;
# sesearch --allow -s virt_qemu_ga_unconfined_t -t virt_qemu_ga_t -c fd
allow domain domain:fd use; [ domain_fd_use ]:True
allow unconfined_domain_type domain:fd use;
# sesearch --allow -s virt_qemu_ga_unconfined_t -t virt_qemu_ga_t -c fifo_file
allow unconfined_domain_type domain:fifo_file { append getattr ioctl lock open read write };
# sesearch --allow -s virt_qemu_ga_unconfined_t -t virt_qemu_ga_t -c process
allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop };
So it seems like the this functionality is available in RHEL 9.3 even without the use of boolean. Is this expected behavior ?
Also I see that this boolean although available in RHEL 8.9 is not referenced in RHEL 8.9 release notes - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.9_release_notes/index#new-features-security
What were you trying to do that didn't work?
The release notes of RHEL 9.3 reference the boolean `virt_qemu_ga_run_unconfined` however the RHEL 9.3 does not include this boolean but rather RHEL 8.9 does.
And while RHEL 9.3 does not include this boolean the rules which are allowed in RHEL 8.9 appear to be be now allowed without the use of boolean. See also above notes.
Please provide the package NVR for which bug is seen:
[root@rhel8 ~]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.14.3-128.el8_9.1.noarch selinux-policy-3.14.3-128.el8_9.1.noarch [root@rhel9 ~]# rpm -qa | grep selinux-policy selinux-policy-38.1.23-1.el9_3.2.noarch selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
How reproducible:
Everytime
Steps to reproduce
- Check the boolean the presence of boolean in both RHEL 8.9 and RHEL 9.3
[root@rhel8 ~]# getsebool -a | grep virt_qemu_ga_run_unconfined virt_qemu_ga_run_unconfined --> on [root@rhel9 ~]# getsebool -a | grep virt_qemu_ga_run_unconfined [root@rhel9 ~]#
Expected results
I think we should add the boolean functionality to RHEL 9.3 similar to RHEL 8.9 or update the RHEL 9.3 release notes to remove the section related to the boolean.
Actual results
Currently the release notes is references the boolean which is not available in RHEL 9.3. Also currently RHEL 9.3 has the same SELinux rules without the boolean so , I am unsure if this is expected behavior or not.
Additional notes
I also tested the qemu-guest-agent command usage on RHEL 8.9 along with the new boolean however I see that the mount command still fails. I think I will raise separate Jira for that issue.
- links to
-
RHBA-2024:130707
selinux-policy bug fix and enhancement update