-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-9.4
-
No
-
Moderate
-
1
-
rhel-sst-security-selinux
-
ssg_security
-
16
-
3
-
False
-
-
None
-
Red Hat Enterprise Linux
-
SELINUX 241106 - 241127
-
None
-
None
-
None
What were you trying to do that didn't work?
When freezing/thawing the file systems of a QEMU/KVM VM, the following AVCs are generated if a mount point is not owned by root:
allow virt_qemu_ga_t self:capability { dac_override dac_read_search };
type=PROCTITLE msg=audit(08/02/2024 09:14:51.317:90) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --allow-rpcs=guest-sync-delimited,guest-
type=SYSCALL msg=audit(08/02/2024 09:14:51.317:90) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55e03ce2bfc0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=871 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null)
type=AVC msg=audit(08/02/2024 09:14:51.317:90) : avc: denied { dac_override } for pid=871 comm=qemu-ga capability=dac_override scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0
type=AVC msg=audit(08/02/2024 09:14:51.317:90) : avc: denied { dac_read_search } for pid=871 comm=qemu-ga capability=dac_read_search scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0
This AVC can be fixed by enabling virt_qemu_ga_manage_ssh, but this has to be considered as a workaround, because the boolean is unrelated.
The reason for getting this is the mount table is parsed then file systems opened.
Please provide the package NVR for which bug is seen:
selinux-policy-38.1.35-2.el9_4.noarch
How reproducible:
Always
Steps to reproduce
- Create a disk image
# truncate -s 1G /root/renaud.img mkfs.xfs /root/renaud.img mkdir /var/lib/renaud - Mount the disk image and change permissions
# mount /root/renaud.img /var/lib/renaud # chown renaud:users /var/lib/renaud # restorecon -Fr /var/lib/renaud
- Execute "thaw" from the hypervisor
$ virsh qemu-agent-command --domain rhel9 '{ "execute" : "guest-fsfreeze-thaw" }'
Expected results
No AVC
Actual results
type=PROCTITLE msg=audit(08/02/2024 09:34:59.765:124) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --allow-rpcs=guest-sync-delimited,guest- type=SYSCALL msg=audit(08/02/2024 09:34:59.765:124) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x560a41583fb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=1974 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(08/02/2024 09:34:59.765:124) : avc: denied { dac_override } for pid=1974 comm=qemu-ga capability=dac_override scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0 type=AVC msg=audit(08/02/2024 09:34:59.765:124) : avc: denied { dac_read_search } for pid=1974 comm=qemu-ga capability=dac_read_search scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:system_r:virt_qemu_ga_t:s0 tclass=capability permissive=0
