Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AVC Denial on qemu-ga Fedora CoreOS 33.20210201.10.0 #733

Closed
sandrobonazzola opened this issue Feb 5, 2021 · 17 comments
Closed

AVC Denial on qemu-ga Fedora CoreOS 33.20210201.10.0 #733

sandrobonazzola opened this issue Feb 5, 2021 · 17 comments
Labels
area/selinux external/okd kind/bug

Comments

@sandrobonazzola
Copy link

Describe the bug
Running Fedora CoreOS 33.20210201.10.0 within a VM hosted on oVirt.
Journal shows every 10 seconds:

AVC avc:  denied  { search } for  pid=696 comm="qemu-ga" name="containers" dev="sda4" ino=119537792 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:container_var_lib_t:s0 tclass=dir permissive=0

Reproduction steps
Steps to reproduce the behavior:

  1. Deploy OKD 4.6 or OKD 4.7 on top of oVirt (Bare metal UPI used in this specific case)
  2. Look at workers journal
  3. See AVC denials

Expected behavior
After installation no denials should happen: either the policy needs a fix or the qemu-ga shouldn't access the resource.

Actual behavior
Journal bein spammed by AVC denials

System details

  • Bare Metal UPI on top of KVM VMs managed by oVirt
  • Fedora CoreOS version: 33.20210201.10.0

Ignition config
This comes from an existing OKD 4.5 upgrade up to 4.7, not sure the original ignition is still relevant

Additional information
Add any other information about the problem here.
@cgwalters
Copy link
Member

coreos/coreos-assembler#1920 is related to this.

@lucab
Copy link
Contributor

lucab commented Feb 9, 2021

Thanks for the report. However we don't ship a qemu-ga binary in FCOS images, so that is probably coming from an overlaid package or a container. This should be probably reported against OKD or somewhere in Fedora.
@vrutkovs @LorbusChris where are such kind of SELinux troubles in OKD reported?

@vrutkovs
Copy link
Member

OKD bugs should go to https://github.com/openshift/okd first, as it uses a customized payload.

@sandrobonazzola
Copy link
Author

Wouldn't it be better to align RHCOS and FCOS and get qemu-ga included within FCOS as it has been done in RHCOS?
It will provide more valuable feedback from community and will reduce the differences between OKD and OCP.

@vrutkovs
Copy link
Member

Both OKD payload and RHCOS include qemu agent. FCOS doesn't need it pre-installed, as most clouds won't use it (and users can install it manually if required)

@jlebon
Copy link
Member

jlebon commented Feb 10, 2021

Wouldn't it be better to align RHCOS and FCOS and get qemu-ga included within FCOS as it has been done in RHCOS?

Even for RHCOS I think long-term we should make it an extension instead of baking it into the host.

@bgilbert
Copy link
Contributor

Wouldn't it be better to align RHCOS and FCOS and get qemu-ga included within FCOS as it has been done in RHCOS?

While we prefer to keep FCOS and RHCOS reasonably aligned, they have somewhat different goals and use cases. FCOS and RHCOS both have a general policy of omitting guest agents, but sometimes one OS makes an exception to that policy while the other does not.

(I'd disagree with @vrutkovs' reasoning, though. In cases where FCOS does ship guest agents, it ships them to all platforms, and we generally discourage users from installing packages not shipped with the image.)

@vrutkovs
Copy link
Member

Ah, okay, I don't mind FCOS shipping this agent (I mistakenly assumed its useful for OKD purposes only).

In any case to get more info about this bug we need a bug for Fedora's selinux-policy package, similar to https://bugzilla.redhat.com/show_bug.cgi?id=1908527

@bgilbert
Copy link
Contributor

To be clear, I'm not arguing in favor of shipping the agent. Previous discussion is in #74.

@sandrobonazzola
Copy link
Author

Ah, okay, I don't mind FCOS shipping this agent (I mistakenly assumed its useful for OKD purposes only).

In any case to get more info about this bug we need a bug for Fedora's selinux-policy package, similar to https://bugzilla.redhat.com/show_bug.cgi?id=1908527

Have you already opened it or should I?

@vrutkovs
Copy link
Member

Please go ahead

@sandrobonazzola
Copy link
Author

Opened at https://bugzilla.redhat.com/show_bug.cgi?id=1927639

@sandrobonazzola
Copy link
Author

Any update? I still see this happening on FCOS 34 and https://bugzilla.redhat.com/show_bug.cgi?id=1927639 didn't move in months

@travier
Copy link
Member

travier commented Oct 26, 2021

This looks like an harmless warning that could be a dontaudit rule and fixed in the agent. Upstream code should be there: https://gitlab.com/qemu-project/qemu/-/tree/master/qga

@sandrobonazzola
Copy link
Author

@a2902793 yes, on the worker node.

@travier
Copy link
Member

travier commented Apr 13, 2022

https://bugzilla.redhat.com/show_bug.cgi?id=1927639#c6 > This is the fix for OS that ship the agent.

@dustymabe
Copy link
Member

Closing this old issue out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/selinux external/okd kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@lucab @vrutkovs @cgwalters @bgilbert @sandrobonazzola @dustymabe @jlebon @travier