Bug 1591105

Summary: SELINUX prevent qemu-kvm process started by libvirt to read/write /dev/vhost-vsock
Product: Red Hat Enterprise Linux 7 Reporter: yafu <yafu>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.6CC: dyuan, fjin, jtomko, lmen, lvrabec, mgrepl, mmalik, plautrba, ssekidde, xuzhang, yafu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-25 08:51:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1291851    

Description yafu 2018-06-14 05:27:07 UTC 
Description of problem:
SELINUX prevent qemu-kvm process started by libvirt to read/write  /dev/vhost-vsock

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-203.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1.Load model in host
#modprobe vsock
#modprobe vhost_vsock

2.Edit guest xml with vsock device:
#virsh edit iommu1
<vsock model='virtio'>
      <cid auto='no' address='4'/>
    </vsock>

3.Start the guest:
#virsh start iommu1
error: Failed to start domain iommu1
error: internal error: qemu unexpectedly closed the monitor: 
2018-06-14T05:19:35.990237Z qemu-kvm: -device vhost-vsock-pci,id=vsock0,guest-cid=4,vhostfd=23,bus=pcie.0,addr=0x7: vhost_set_owner failed: Inappropriate ioctl for device (25)
2018-06-14T05:19:35.990302Z qemu-kvm: -device vhost-vsock-pci,id=vsock0,guest-cid=4,vhostfd=23,bus=pcie.0,addr=0x7: vhost-vsock: vhost_dev_init failed: Operation not permitted

4.Check the audit log:
type=VIRT_RESOURCE msg=audit(1528953106.292:14613): pid=23340 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=cgroup reason=deny vm="iommu1" uuid=1b3268d6-b59c-406b-a14c-33b000b15b6c cgroup="/sys/fs/cgroup/devices/machine.slice/machine-qemu\x2d3\x2diommu1.scope/" class=all exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1528953106.310:14625): avc:  denied  { read write } for  pid=415 comm="qemu-kvm" path="/dev/vhost-vsock" dev="devtmpfs" ino=3030467 scontext=system_u:system_r:svirt_t:s0:c455,c920 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


Actual results:
As step 4

Expected results:
No avc denial

Additional info:
Comment 2 Ján Tomko 2018-06-14 08:29:11 UTC 
tcontext=system_u:object_r:device_t:s0
^^ your /dev/vhost-vsock is still labeled as device_t

Can you try restoring the new default:
# restorecon /dev/vhost-vsock
# ls -lZ /dev/vhost-vsock 
crw-------. root root system_u:object_r:vhost_device_t:s0 /dev/vhost-vsock

It works for me with:
selinux-policy-3.13.1-203.el7.noarch
libvirt-4.4.0-2.el7.x86_64
Comment 3 yafu 2018-06-14 09:04:41 UTC 
(In reply to Ján Tomko from comment #2)
> tcontext=system_u:object_r:device_t:s0
> ^^ your /dev/vhost-vsock is still labeled as device_t
> 
> Can you try restoring the new default:
> # restorecon /dev/vhost-vsock
> # ls -lZ /dev/vhost-vsock 
> crw-------. root root system_u:object_r:vhost_device_t:s0 /dev/vhost-vsock
> 
> It works for me with:
> selinux-policy-3.13.1-203.el7.noarch
> libvirt-4.4.0-2.el7.x86_64

It works well after restoring /dev/vhost-vsock.
But /dev/vhost-vsock is labeled as device_t after upgrade selinux-policy to 3.13.1-203. Do I need to reboot the os after upgrading selinux-policy?

My test steps is:
#yum -y update selinux-policy

#rpm -q selinux-policy
selinux-policy-3.13.1-203.el7.noarch

#modprobe vhost_vsock

#ll-Z /dev/vhost-vsock
crw-------. root root system_u:object_r:device_t:s0    /dev/vhost-vsock
Comment 4 Lukas Vrabec 2018-06-25 08:51:15 UTC 

*** This bug has been marked as a duplicate of bug 1584011 ***