Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: Generate New Ti...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4.z
Component/s: qemu-kvm / Guest Agent
Labels:
- Merged

Fixed in Build:
qemu-kvm-9.0.0-9.el9
Regression:
No
Severity:
Important
Keywords:

ZStream

AssignedTeam:
rhel-virt-core
Sub-System Group:

ssg_virtualization

Dev Target Milestone:
25
Internal Target Milestone:
26
Story Points:
2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Red Hat Enterprise Linux
Sprint:
None
Release Blocker:
Approved Blocker
Target Backport Versions:

rhel-9.4.z, rhel-10.0

Git Pull Request:
https://gitlab.com/redhat/centos-stream/src/qemu-kvm/-/merge_requests/265
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/137956
Test Coverage:

Automated

Experience:
Architecture:

x86_64

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Customer backups for hundreds of VMs broke, because 
/var/log/qga-fsfreeze-hook.log had the incorrect SELinux label.

Please provide the package NVR for which bug is seen:

qemu-guest-agent-8.2.0-11.el9_4.x86_64
selinux-policy-38.1.35-2.el9_4.noarch

How reproducible:

Always

Steps to reproduce

1. Start with a system freshly installed, there is no /var/log/qga-fsfreeze-hook.log
2. Create a simple script

$ cat /etc/qemu-ga/fsfreeze-hook.d/foo.sh
#!/bin/bash
echo "foo" >> /tmp/bar
3. Run freeze and thaw from the hypervisor
$ virsh domfsfreeze 1 && virsh domfsthaw 1
4. The file /var/log/qga-fsfreeze-hook.log is now created, with a context that allows the script to write to it

$ ls -lZ /var/log/qga-fsfreeze-hook.log
rw------. 1 root root system_u:object_r:virt_qemu_ga_log_t:s0 342 Aug 1 10:18 /var/log/qga-fsfreeze-hook.log
5. And the script ran fine

$ cat /var/log/qga-fsfreeze-hook.log
Thu Aug 1 10:18:24 AEST 2024: execute /etc/qemu-ga/fsfreeze-hook.d/foo.sh freeze
Thu Aug 1 10:18:24 AEST 2024: /etc/qemu-ga/fsfreeze-hook.d/foo.sh finished with status=0
Thu Aug 1 10:18:24 AEST 2024: execute /etc/qemu-ga/fsfreeze-hook.d/foo.sh thaw
Thu Aug 1 10:18:24 AEST 2024: /etc/qemu-ga/fsfreeze-hook.d/foo.sh finished with status=0   cat /tmp/bar
foo
foo
6. Gere comes the problem, the rules shipped with SElinux will change that context on the first restorecon

$ restorecon -Rv /var/log/
Relabeled /var/log/qga-fsfreeze-hook.log from system_u:object_r:virt_qemu_ga_log_t:s0 to system_u:object_r:var_log_t:s0
Because we are missing a specific rule for it here, so it just inherits from /var/log

$ semanage fcontext -l | egrep 'qemu-ga|qga'
/etc/qemu-ga/fsfreeze-hook.d(/.*)? all files system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 
/usr/bin/qemu-ga regular file system_u:object_r:virt_qemu_ga_exec_t:s0 
/usr/libexec/qemu-ga(/.*)? all files system_u:object_r:virt_qemu_ga_exec_t:s0 
/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? all files system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 
/var/log/qemu-ga(/.*)? all files system_u:object_r:virt_qemu_ga_log_t:s0 
/var/log/qemu-ga\.log.* regular file system_u:object_r:virt_qemu_ga_log_t:s0 
/var/run/qemu-ga/fsfreeze-hook.d(/.*)? all files system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 
/var/run/qemu-ga\.pid regular file system_u:object_r:virt_qemu_ga_var_run_t:s0 
/var/run/qga\.state regular file system_u:object_r:virt_qemu_ga_var_run_t:s0
7. And now its all broken, the script doesn't run anymore because /etc/qemu-ga/fsfreeze-hook fails due to the AVC
type=AVC msg=audit(1722471811.766:158): avc: denied { open } for pid=1928 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.766:159): avc: denied { open } for pid=1928 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.766:160): avc: denied { open } for pid=1933 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.766:161): avc: denied { open } for pid=1933 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.769:162): avc: denied { open } for pid=1928 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.769:163): avc: denied { open } for pid=1928 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.818:164): avc: denied { open } for pid=1936 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.818:165): avc: denied { open } for pid=1936 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.818:166): avc: denied { open } for pid=1941 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.819:167): avc: denied { open } for pid=1941 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.819:168): avc: denied { open } for pid=1936 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1722471811.819:169): avc: denied { open } for pid=1936 comm="fsfreeze-hook" path="/var/log/qga-fsfreeze-hook.log" dev="vda4" ino=25175329 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0

Expected results

Hook scripts continue working after restorecon

Actual results

Hook scripts not run, VM backups are broken

relates to

RHEL-99482 Verify fix in RHEL 10

Closed

split to

RHEL-99481 Backport fix to RHEL 9.4.z

Closed

links to

[KCS] QEMU Guest Agent fsfreeze hooks do not run

RHBA-2024:137956 virtio-win bug fix and enhancement update

Assignee:: Meng Dehan

Reporter:: Germano Veit Michel

Developer:: virt-maint

QA Contact:: Meng Dehan

Votes:: 1 Vote for this issue

Watchers:: 16 Start watching this issue

Created:: 2024/08/01 12:46 AM

Updated:: 2025/09/13 3:07 AM

Resolved:: 2024/11/12 9:14 AM

Dev Target end:: 2024/08/21

Target end:: 2024/08/26

Release Date:: 2024/11/12

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates