Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-52476

qemu-ga generates "dac_override" and "dac_read_search" AVCs when freezing/thawing

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.53-5.el9_6
    • No
    • Moderate
    • 2
    • rhel-security-selinux
    • ssg_security
    • 17
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 241106 - 241127, SELINUX 241127 - 241218
    • Bug Fix
    • Hide
      .Rule to allow `dac_override` and `dac_read_search` for `qemu-guest-agent` added to the SELinux policy

      Previously, the SELinux policy did not have rules to allow `qemu-guest-agent` the `dac_override` and `dac_read_search` capabilities. As a consequence, freezing and thawing virtual machine file systems did not work properly when the file system mount point DAC permission did not grant access to the user root. This update has added the missing rule to the policy. As a result, `fsfreeze`, which is an important `qemu-ga` command for creating consistent snapshots, works correctly.
      Show
      .Rule to allow `dac_override` and `dac_read_search` for `qemu-guest-agent` added to the SELinux policy Previously, the SELinux policy did not have rules to allow `qemu-guest-agent` the `dac_override` and `dac_read_search` capabilities. As a consequence, freezing and thawing virtual machine file systems did not work properly when the file system mount point DAC permission did not grant access to the user root. This update has added the missing rule to the policy. As a result, `fsfreeze`, which is an important `qemu-ga` command for creating consistent snapshots, works correctly.
    • Done
    • None

      What were you trying to do that didn't work?

      When freezing/thawing the file systems of a QEMU/KVM VM, the following AVCs are generated if a mount point is not owned by root:

      allow virt_qemu_ga_t self:capability { dac_override dac_read_search };
      
      type=PROCTITLE msg=audit(08/02/2024 09:14:51.317:90) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --allow-rpcs=guest-sync-delimited,guest- 
      type=SYSCALL msg=audit(08/02/2024 09:14:51.317:90) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55e03ce2bfc0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
      type=AVC msg=audit(08/02/2024 09:14:51.317:90) : avc:  denied  { dac_override } for  pid=871 comm=qemu-ga capability=dac_override  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0 
      type=AVC msg=audit(08/02/2024 09:14:51.317:90) : avc:  denied  { dac_read_search } for  pid=871 comm=qemu-ga capability=dac_read_search  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0 
      

      This AVC can be fixed by enabling virt_qemu_ga_manage_ssh, but this has to be considered as a workaround, because the boolean is unrelated.

      The reason for getting this is the mount table is parsed then file systems opened.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.35-2.el9_4.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. Create a disk image
        # truncate -s 1G /root/renaud.img
        mkfs.xfs /root/renaud.img
        mkdir /var/lib/renaud
        
      2. Mount the disk image and change permissions
        # mount /root/renaud.img /var/lib/renaud
        # chown renaud:users /var/lib/renaud
        # restorecon -Fr /var/lib/renaud
        
      3. Execute "thaw" from the hypervisor
        $ virsh qemu-agent-command --domain rhel9 '{ "execute" : "guest-fsfreeze-thaw" }'

      Expected results

      No AVC

      Actual results

      type=PROCTITLE msg=audit(08/02/2024 09:34:59.765:124) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --allow-rpcs=guest-sync-delimited,guest- 
      type=SYSCALL msg=audit(08/02/2024 09:34:59.765:124) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x560a41583fb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1974 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) 
      type=AVC msg=audit(08/02/2024 09:34:59.765:124) : avc:  denied  { dac_override } for  pid=1974 comm=qemu-ga capability=dac_override  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0 
      type=AVC msg=audit(08/02/2024 09:34:59.765:124) : avc:  denied  { dac_read_search } for  pid=1974 comm=qemu-ga capability=dac_read_search  scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0 
      

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Daniel Berrangé
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              2 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: