Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-31211

RHEL 9.3 release notes mention the addition of new boolean `virt_qemu_ga_run_unconfined` but its only available on RHEL 8.9

    • selinux-policy-38.1.38-1.el9
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 15
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      SELinux policy defines a new boolean called virt_qemu_ga_run_unconfined, related types and rules. SELinux policy for RHEL-8.10 and RHEL-9.5 should be the same in this area.

      Show
      SELinux policy defines a new boolean called virt_qemu_ga_run_unconfined, related types and rules. SELinux policy for RHEL-8.10 and RHEL-9.5 should be the same in this area.
    • Pass
    • None
    • Enhancement
    • Hide
      .New SELinux boolean to allow QEMU Guest Agent executing confined commands

      Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as `mount`, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the `guest-agent` must run in the `virt_qemu_ga_unconfined_t` domain.

      Therefore, this update adds the SELinux policy boolean `virt_qemu_ga_run_unconfined` that allows `guest-agent` to make the transition to `virt_qemu_ga_unconfined_t` for executables located in any of the following directories:

      * `/etc/qemu-ga/fsfreeze-hook.d/`
      * `/usr/libexec/qemu-ga/fsfreeze-hook.d/`
      * `/var/run/qemu-ga/fsfreeze-hook.d/`

      In addition, the necessary rules for transitions for the `qemu-ga` daemon have been added to the SELinux policy boolean.

      As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the `virt_qemu_ga_run_unconfined` boolean.
      Show
      .New SELinux boolean to allow QEMU Guest Agent executing confined commands Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as `mount`, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the `guest-agent` must run in the `virt_qemu_ga_unconfined_t` domain. Therefore, this update adds the SELinux policy boolean `virt_qemu_ga_run_unconfined` that allows `guest-agent` to make the transition to `virt_qemu_ga_unconfined_t` for executables located in any of the following directories: * `/etc/qemu-ga/fsfreeze-hook.d/` * `/usr/libexec/qemu-ga/fsfreeze-hook.d/` * `/var/run/qemu-ga/fsfreeze-hook.d/` In addition, the necessary rules for transitions for the `qemu-ga` daemon have been added to the SELinux policy boolean. As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the `virt_qemu_ga_run_unconfined` boolean.
    • Done
    • All
    • None

      Originally the new boolean `virt_qemu_ga_run_unconfined` was introduced in in RHEL 8.9 as part of the BZ https://bugzilla.redhat.com/show_bug.cgi?id=2093355

      This was done to help `qemu-guest-agent` run the command on the host which were otherwise denied by SELinux since `qemu-guest-agent` used to run in a confined context `virt_qemu_ga_t`.

      It was meant to transition it to to `virt_qemu_ga_unconfined_t` which is unconfined.

      type_transition virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:process virt_qemu_ga_unconfined_t; [ virt_qemu_ga_run_unconfined ]:True

      One of our customer on case 03777731 says, that this particular boolean `virt_qemu_ga_run_unconfined` was supposed to be also introduced in RHEL 9.3 (because it is mentioned in our RHEL 9.3 release notes so they expect this change is also present in RHEL 9.3) but its not visible in RHEL 9.3 even with the latest RHEL 9.3 SELinux rpms

      We see that our RHEL 9.3 release notes that its references this bug - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/9.3_release_notes/index#new-features-security

      New SELinux boolean to allow QEMU Guest Agent executing confined commands
      
      Previously, commands that were supposed to execute in a confined context through the QEMU Guest Agent daemon program, such as mount, failed with an Access Vector Cache (AVC) denial. To be able to execute these commands, the guest-agent must run in the unconfined_t domain.
      
      Therefore, this update adds the SELinux policy boolean virt_qemu_ga_run_unconfined that allows guest-agent to make the transition to the unconfined domain. In addition, the necessary rules for transitions for the qemu-ga daemon have been added to the SELinux policy boolean.
      
      As a result, you can now execute confined commands through the QEMU Guest Agent without AVC denials by enabling the virt_qemu_ga_run_unconfined boolean.
      
      Bugzilla:2093355
      

      I tested this with latest RHEL 9.3 selinux rpms and we do not see this.

      # rpm -qa | grep selinux-policy
      selinux-policy-38.1.23-1.el9_3.2.noarch
      selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
      selinux-policy-devel-38.1.23-1.el9_3.2.noarch
      
      # getsebool -a | grep virt_qemu_ga_run_unconfined
      >> (No output)
      

      We have also checked and found that these rules in RHEL 8.9 which were allowed by the boolean are allowed by the boolean seems to be by default be allowed on RHEL 9.3 without the boolean.

      Rules in RHEL 8.9

      # sesearch -TA -b virt_qemu_ga_run_unconfined
      allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file { execute execute_no_trans getattr ioctl lock map open read }; [ virt_qemu_ga_run_unconfined ]:False
      allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ virt_qemu_ga_run_unconfined ]:True
      allow virt_qemu_ga_t virt_qemu_ga_unconfined_t:process transition; [ virt_qemu_ga_run_unconfined ]:True
      allow virt_qemu_ga_unconfined_t virt_qemu_ga_t:fd use; [ virt_qemu_ga_run_unconfined ]:True
      allow virt_qemu_ga_unconfined_t virt_qemu_ga_t:fifo_file { append getattr ioctl lock read write }; [ virt_qemu_ga_run_unconfined ]:True
      allow virt_qemu_ga_unconfined_t virt_qemu_ga_t:process sigchld; [ virt_qemu_ga_run_unconfined ]:True
      type_transition virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:process virt_qemu_ga_unconfined_t; [ virt_qemu_ga_run_unconfined ]:True
      

      Rules in RHEL 9.3

      # sesearch --allow -s virt_qemu_ga_t -t virt_qemu_ga_unconfined_exec_t  
      allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
      allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
      allow domain file_type:file map; [ domain_can_mmap_files ]:True
      allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
      allow virt_qemu_ga_t file_type:filesystem getattr;
      allow virt_qemu_ga_t non_security_file_type:dir { getattr ioctl lock open read search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
      allow virt_qemu_ga_t non_security_file_type:dir { getattr open search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
      allow virt_qemu_ga_t non_security_file_type:dir { getattr open search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
      allow virt_qemu_ga_t non_security_file_type:dir { getattr open search }; [ virt_qemu_ga_read_nonsecurity_files ]:True
      allow virt_qemu_ga_t non_security_file_type:file { getattr ioctl lock open read }; [ virt_qemu_ga_read_nonsecurity_files ]:True
      allow virt_qemu_ga_t non_security_file_type:lnk_file { getattr read }; [ virt_qemu_ga_read_nonsecurity_files ]:True
      allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir { getattr ioctl lock open read search };
      allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file { execute execute_no_trans getattr ioctl map open read };
      
      # sesearch --allow -s virt_qemu_ga_t -t virt_qemu_ga_unconfined_t  -c process
      allow virt_qemu_ga_t virt_qemu_ga_unconfined_t:process transition;
      
      # sesearch --allow -s virt_qemu_ga_unconfined_t -t virt_qemu_ga_t  -c fd 
      allow domain domain:fd use; [ domain_fd_use ]:True
      allow unconfined_domain_type domain:fd use;
      
      # sesearch --allow -s virt_qemu_ga_unconfined_t -t virt_qemu_ga_t  -c fifo_file
      allow unconfined_domain_type domain:fifo_file { append getattr ioctl lock open read write };
      
      # sesearch --allow -s virt_qemu_ga_unconfined_t -t virt_qemu_ga_t  -c process
      allow unconfined_domain_type domain:process ptrace; [ deny_ptrace ]:False
      allow unconfined_domain_type domain:process { fork getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setcurrent setexec setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share sigchld siginh sigkill signal signull sigstop };
      

      So it seems like the this functionality is available in RHEL 9.3 even without the use of boolean. Is this expected behavior ?

      Also I see that this boolean although available in RHEL 8.9 is not referenced in RHEL 8.9 release notes - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.9_release_notes/index#new-features-security

      What were you trying to do that didn't work?

      The release notes of RHEL 9.3 reference the boolean `virt_qemu_ga_run_unconfined` however the RHEL 9.3 does not include this boolean but rather RHEL 8.9 does.
      And while RHEL 9.3 does not include this boolean the rules which are allowed in RHEL 8.9 appear to be be now allowed without the use of boolean. See also above notes.

      Please provide the package NVR for which bug is seen:

      [root@rhel8 ~]# rpm -qa | grep selinux-policy
      selinux-policy-targeted-3.14.3-128.el8_9.1.noarch
      selinux-policy-3.14.3-128.el8_9.1.noarch
      
      [root@rhel9 ~]# rpm -qa | grep selinux-policy
      selinux-policy-38.1.23-1.el9_3.2.noarch
      selinux-policy-targeted-38.1.23-1.el9_3.2.noarch
      

      How reproducible:

      Everytime

      Steps to reproduce

      1. Check the boolean the presence of boolean in both RHEL 8.9 and RHEL 9.3
        [root@rhel8 ~]# getsebool -a | grep virt_qemu_ga_run_unconfined
        virt_qemu_ga_run_unconfined --> on
        
        [root@rhel9 ~]# getsebool -a | grep virt_qemu_ga_run_unconfined
        [root@rhel9 ~]# 
        

      Expected results

      I think we should add the boolean functionality to RHEL 9.3 similar to RHEL 8.9 or update the RHEL 9.3 release notes to remove the section related to the boolean.

      Actual results

      Currently the release notes is references the boolean which is not available in RHEL 9.3. Also currently RHEL 9.3 has the same SELinux rules without the boolean so , I am unsure if this is expected behavior or not.

      Additional notes

      I also tested the qemu-guest-agent command usage on RHEL 8.9 along with the new boolean however I see that the mount command still fails. I think I will raise separate Jira for that issue.

              rhn-support-zpytela Zdenek Pytela
              rhn-support-amepatil Ameya Patil
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: