Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440816 - app-emulation/qemu sdl frontend on selinux
Summary: app-emulation/qemu sdl frontend on selinux
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r8
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 18:33 UTC by Amadeusz Sławiński
Modified: 2012-12-13 10:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-11-01 18:33:23 UTC 
It doesn't start as staff_u:staff_r:staff_t or staff_u:sysadm_r:sysadm_t

I run -9999 policies

% qemu-system-x86_64
Could not initialize SDL(No available video device) - exiting

Enforcing:
Nov  1 19:17:14 localhost kernel: [18269.138589] type=1400 audit(1351793834.802:142): avc:  denied  { read } for  pid=5365 comm="qemu-system-x86" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:qemu_t tcontext=system_u:object_r:sysfs_t tclass=file
Nov  1 19:17:14 localhost kernel: [18269.289364] type=1400 audit(1351793834.953:143): avc:  denied  { connectto } for  pid=5364 comm="qemu-system-x86" path=002F746D702F2E5831312D756E69782F5830 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:staff_r:xserver_t tclass=unix_stream_socket


Permissive:
Nov  1 19:18:12 localhost kernel: [18326.361917] type=1400 audit(1351793892.139:145): avc:  denied  { read } for  pid=5379 comm="qemu-system-x86" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:qemu_t tcontext=system_u:object_r:sysfs_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.361953] type=1400 audit(1351793892.139:146): avc:  denied  { open } for  pid=5379 comm="qemu-system-x86" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:qemu_t tcontext=system_u:object_r:sysfs_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.391388] type=1400 audit(1351793892.168:147): avc:  denied  { connectto } for  pid=5378 comm="qemu-system-x86" path=002F746D702F2E5831312D756E69782F5830 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:staff_r:xserver_t tclass=unix_stream_socket
Nov  1 19:18:12 localhost kernel: [18326.391521] type=1400 audit(1351793892.168:148): avc:  denied  { read } for  pid=5378 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20714467 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.391553] type=1400 audit(1351793892.168:149): avc:  denied  { open } for  pid=5378 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20714467 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.391579] type=1400 audit(1351793892.168:150): avc:  denied  { getattr } for  pid=5378 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20714467 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.400096] type=1400 audit(1351793892.177:151): avc:  denied  { read } for  pid=2643 comm="X" name="cmdline" dev="proc" ino=1506421 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.400106] type=1400 audit(1351793892.177:152): avc:  denied  { open } for  pid=2643 comm="X" path="/proc/5378/cmdline" dev="proc" ino=1506421 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file
Nov  1 19:18:12 localhost kernel: [18326.510908] type=1400 audit(1351793892.288:153): avc:  denied  { unix_read unix_write } for  pid=2643 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm


Reproducible: Always




Portage 2.1.11.31 (hardened/linux/amd64/selinux, gcc-4.6.3, glibc-2.15-r3, 3.6.1-hardened x86_64)
=================================================================
System uname: Linux-3.6.1-hardened-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2
Timestamp of tree: Tue, 30 Oct 2012 19:30:01 +0000
ld GNU ld (GNU Binutils) 2.23
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2, 3.2.3-r1
dev-util/cmake:           2.8.9-r1
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.2
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.11.6, 1.12.4
sys-devel/binutils:       2.23
sys-devel/gcc:            4.6.3
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x11 hardened-dev my_local_overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 PUEL skype-4.0.0.7-copyright google-talkplugin"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_GB pl"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/hardened-development /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cups cxx dbus dri dvd gdbm gif gpm hardened iconv icu ipv6 jpeg justify mmx mng modules mp3 mudflap multilib ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd tiff udev unicode urandom usb v4l vaapi vim-syntax wacom wifi xft xinerama xtpax zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB pl" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-10 14:32:31 UTC 
There's a boolean called "virt_use_xserver" which you need to toggle on if you use the SDL approach. For sysfs, you can toggle "virt_use_sysfs".
Comment 2 Amadeusz Sławiński 2012-11-11 17:11:48 UTC 
# getsebool -a | grep virt
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sysfs --> on
virt_use_usb --> off
virt_use_xserver --> on


As user, staff_u:staff_r:staff_t
with policy:
policy_module(qemustaff, 1.0.0)

require {
	type staff_t;
	role staff_r;
}

qemu_run(staff_t, staff_r)

Enforcing:
Nov 11 18:06:44 lain kernel: [20076.499347] type=1400 audit(1352653604.042:3987): avc:  denied  { read } for  pid=28245 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Permissive:
Nov 11 18:06:52 lain kernel: [20085.305737] type=1400 audit(1352653612.866:3989): avc:  denied  { read } for  pid=28276 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov 11 18:06:52 lain kernel: [20085.305768] type=1400 audit(1352653612.866:3990): avc:  denied  { open } for  pid=28276 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov 11 18:06:52 lain kernel: [20085.305793] type=1400 audit(1352653612.866:3991): avc:  denied  { getattr } for  pid=28276 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov 11 18:06:52 lain kernel: [20085.305810] type=1400 audit(1352653612.866:3992): avc:  denied  { read } for  pid=1969 comm="X" name="cmdline" dev="proc" ino=2322956 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file
Nov 11 18:06:52 lain kernel: [20085.305829] type=1400 audit(1352653612.866:3993): avc:  denied  { open } for  pid=1969 comm="X" path="/proc/28276/cmdline" dev="proc" ino=2322956 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file
Nov 11 18:06:52 lain kernel: [20085.372177] type=1400 audit(1352653612.932:3994): avc:  denied  { unix_read unix_write } for  pid=1969 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
Nov 11 18:06:52 lain kernel: [20085.372187] type=1400 audit(1352653612.932:3995): avc:  denied  { read write } for  pid=1969 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
Nov 11 18:06:52 lain kernel: [20085.372212] type=1400 audit(1352653612.932:3996): avc:  denied  { read write } for  pid=1969 comm="X" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=405504003 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:object_r:qemu_tmpfs_t tclass=file
Nov 11 18:06:52 lain kernel: [20085.372231] type=1400 audit(1352653612.932:3997): avc:  denied  { getattr associate } for  pid=1969 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm



As root, staff_u:sysadm_r:sysadm_t

Enforcing:
Nov 11 18:08:36 lain kernel: [20188.575918] type=1400 audit(1352653716.341:4001): avc:  denied  { dac_override } for  pid=28399 comm="qemu-system-x86" capability=1  scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability
Nov 11 18:08:36 lain kernel: [20188.575935] type=1400 audit(1352653716.341:4002): avc:  denied  { dac_read_search } for  pid=28399 comm="qemu-system-x86" capability=2  scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability
Nov 11 18:08:36 lain kernel: [20188.575944] type=1400 audit(1352653716.341:4003): avc:  denied  { dac_override } for  pid=28399 comm="qemu-system-x86" capability=1  scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability

Permissive:
Nov 11 18:08:45 lain kernel: [20197.827314] type=1400 audit(1352653725.611:4005): avc:  denied  { dac_override } for  pid=28439 comm="qemu-system-x86" capability=1  scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability
Nov 11 18:08:45 lain kernel: [20197.827358] type=1400 audit(1352653725.611:4006): avc:  denied  { read } for  pid=28439 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov 11 18:08:45 lain kernel: [20197.827381] type=1400 audit(1352653725.611:4007): avc:  denied  { open } for  pid=28439 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov 11 18:08:45 lain kernel: [20197.827400] type=1400 audit(1352653725.611:4008): avc:  denied  { getattr } for  pid=28439 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file
Nov 11 18:08:45 lain kernel: [20197.897640] type=1400 audit(1352653725.681:4009): avc:  denied  { unix_read unix_write } for  pid=1969 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:sysadm_r:qemu_t tclass=shm
Nov 11 18:08:45 lain kernel: [20197.897660] type=1400 audit(1352653725.681:4010): avc:  denied  { read write } for  pid=1969 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:sysadm_r:qemu_t tclass=shm
Nov 11 18:08:45 lain kernel: [20197.897709] type=1400 audit(1352653725.681:4011): avc:  denied  { read write } for  pid=1969 comm="X" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=409665539 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:object_r:qemu_tmpfs_t tclass=file
Nov 11 18:08:45 lain kernel: [20197.897736] type=1400 audit(1352653725.681:4012): avc:  denied  { getattr associate } for  pid=1969 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:sysadm_r:qemu_t tclass=shm
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 19:38:55 UTC 
Ok, do you get any errors (by qemu) when you want to start it, or does it just fail silently (with an error code)?

If you add in "xserver_read_user_xauth(qemu_t)" what happens then?
Comment 4 Amadeusz Sławiński 2012-11-14 20:03:11 UTC 
Yes it starts with xserver_read_user_xauth(qemu_t)



Enforcing:
Nov 14 20:58:51 lain kernel: [39885.690744] type=1400 audit(1352923131.430:154): avc:  denied  { unix_read unix_write } for  pid=1973 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm

Permissive:
Nov 14 20:59:19 lain kernel: [39914.168472] type=1400 audit(1352923159.964:156): avc:  denied  { read } for  pid=1973 comm="X" name="cmdline" dev="proc" ino=3585169 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file
Nov 14 20:59:19 lain kernel: [39914.168488] type=1400 audit(1352923159.964:157): avc:  denied  { open } for  pid=1973 comm="X" path="/proc/5471/cmdline" dev="proc" ino=3585169 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file
Nov 14 20:59:20 lain kernel: [39914.231533] type=1400 audit(1352923160.027:158): avc:  denied  { unix_read unix_write } for  pid=1973 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
Nov 14 20:59:20 lain kernel: [39914.231543] type=1400 audit(1352923160.027:159): avc:  denied  { read write } for  pid=1973 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
Nov 14 20:59:20 lain kernel: [39914.231577] type=1400 audit(1352923160.027:160): avc:  denied  { read write } for  pid=1973 comm="X" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=1173028867 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:object_r:qemu_tmpfs_t tclass=file
Nov 14 20:59:20 lain kernel: [39914.231592] type=1400 audit(1352923160.027:161): avc:  denied  { getattr associate } for  pid=1973 comm="X" key=0  scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-17 20:29:47 UTC 
I'm tempted to make it an xserver application through "xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)". This will allow all that is needed to run something as an xserver application, which is imo what this is about (when using the SDL approach).

I personally use Vnc support instead of SDL, so don't need it. Sadly, this too uses attributes underlyingly so I can't use a tunable to allow or disallow this.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-17 20:40:01 UTC 
In repo, will be in r8
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-23 21:41:48 UTC 
r8 in hardened-dev overlay
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 09:36:49 UTC 
r8 is now in main tree, ~arch
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:09:41 UTC 
r8 is now stable