search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow qemu-ga read vmsysctls #2074

Closed zpytela closed 3 months ago

zpytela commented 3 months ago

The commit addresses the following AVC denial: type=PROCTITLE msg=audit(04/05/2024 08:35:35.512:92) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --allow-rpcs=guest-sync-delimited,guest- type=PATH msg=audit(04/05/2024 08:35:35.512:92) : item=0 name=/proc/sys/vm/max_map_count inode=19121 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(04/05/2024 08:35:35.512:92) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xaaaae899c318 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=1448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) type=AVC msg=audit(04/05/2024 08:35:35.512:92) : avc: denied { open } for pid=1448 comm=qemu-ga path=/proc/sys/vm/max_map_count dev="proc" ino=19121 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 type=AVC msg=audit(04/05/2024 08:35:35.512:92) : avc: denied { read } for pid=1448 comm=qemu-ga name=max_map_count dev="proc" ino=19121 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1

Resolves: RHEL-31892

packit-as-a-service[bot] commented 3 months ago

Cockpit tests failed for commit 84bf25b0e6d5e5f218ebae6c3e9f944268afc9b9. @martinpitt, @jelly, @mvollmer please check.

packit-as-a-service[bot] commented 3 months ago

Cockpit tests failed for commit f341995c4bc3b70a06ccaffa36816483160c2dc2. @martinpitt, @jelly, @mvollmer please check.

martinpitt commented 3 months ago

type=AVC msg=audit(04/05/2024 19:46:37.388:415) : avc: denied { create } for pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

This thing again. Like the previous time, this is a bug in rawhide, but not from this PR.

zpytela commented 3 months ago

type=AVC msg=audit(04/05/2024 19:46:37.388:415) : avc: denied { create } for pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

This thing again. Like the previous time, this is a bug in rawhide, but not from this PR.

So I also again wonder how this could happen given the permission is allowed in policy.