Looking for advice on how to report a bug in SELinux policy

Support for security such as Firewalls and securing linux
Post Reply
sawozny
Posts: 36
Joined: 2019/07/13 22:19:14

Looking for advice on how to report a bug in SELinux policy

Post by sawozny » 2019/12/10 21:41:23

So, I posted an extensive post on snapshot management in virsh / qemu a few months back and it has worked great for me (and saved me a number of hours doing system rebuilds) but I tried something new recently that I think has led me to discover a bug somewhere in the snapshot generation code chain (or, more specifically, the SELinux policy related to it). When I have a VM with only one virtual disk (vda) partitioned up and further managed with LVM and I do a snapshot-create things work just as expected, every time. However, on a VM where I have added a second disk image (vdb) when I run a snapshot-create command for that domain, I get back the error:

Code: Select all

virsh # snapshot-create-as db1 test.snap --disk-only --quiesce --atomic
error: internal error: unable to execute QEMU agent command 'guest-fsfreeze-freeze': failed to open /var/lib/mysql: Permission denied
It’s worth noting that this only happens on a partition in active use (in my case, I was running a MySQL server on it). When I tried to duplicate this on an empty (but mounted) partition on a second disk for testing, snapshots generated fine.

There was nothing in the messages file or journalctl to indicate what went wrong, but when I ran an audit2allow -a I get this back:

Code: Select all

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t self:capability { dac_override dac_read_search };
I can throw the virt_qemu_ga_t type into SELinux permissive (which is my current workaround when I need to take a snapshot on this type of system) or I can simply add a policy file that addresses these 2 calls (which I’ve done for other software and will become my long term workaround) but I think this is a bug in the qemu guest agent SELinux policy that merits fixing.

So this leaves me with 2 questions. First, can anyone confirm or refute this issue? If it’s just me, I don’t want to bother anyone else with this. Second, does anyone have any suggestion of who to report this to? Is it the SELinux base policy maintainers? Is it the upstream qemu folks? Is the mid-stream libvirt / virsh folks? Is it the downstream folks at Red Hat? Or should I report it to multiple locations and let the involved parties work it out since they’re much more likely to know who manages the SELinux policy for the qemu guest agent?

I love open source software, but there is definitely something to be said about having one number to call for support. :)

Any suggestions would be appreciated.

Thanks,

Scott

User avatar
TrevorH
Forum Moderator
Posts: 28586
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Looking for advice on how to report a bug in SELinux policy

Post by TrevorH » 2019/12/11 10:01:46

You want bugzilla.redhat.com
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

sawozny
Posts: 36
Joined: 2019/07/13 22:19:14

Re: Looking for advice on how to report a bug in SELinux policy

Post by sawozny » 2019/12/11 18:20:57

TrevorH wrote:
2019/12/11 10:01:46
You want bugzilla.redhat.com
Downstream it is. Thanks very much! :)

Scott

Post Reply

Return to “CentOS 7 - Security Support”