On Mon, Jun 20, 2022 at 01:44:05PM +0400, Marc-André Lureau wrote:
Hi!
https://bugzilla.redhat.com/show_bug.cgi?id=2093355 ("AVCs when trying to
execute a command through qemu-ga ("guest-exec" command)") describes an
issue with fedora/rhel SELinux rules, where some program executions are
denied.
qemu-ga has "virt_qemu_ga_t" context, and is not allowed to execute
binaries that are not "bin_t", iiuc. The suggestion from Renaud Métrich is
for qemu-ga exec command to launch the user program through an helper
program that would have the virt_qemu_ga_unconfined_exec_t context, and
appropriate rules in selinux (similar to fsfreeze-hook rules), so any
program can be executed. qemu-ga would thus ship and use that helper, in
all OS, to avoid varying code paths.
Does that sound reasonable or should we try to find a solution with SELinux
rules instead?
I thought was did not allow qemu-ga to execute binaries at all, regardless
of whether they're bin_t or not. The 'guest-exec' command is essentially
a giant hole that defeats the purpose of confining qemu-ga with SELinux
at all IMHO.
IMHO execution of external commands should only be allowed after toggling
a SELinux boolean tunable.
With regards,
Daniel