Bug 1592688

Summary: SELinux is preventing /usr/libexec/qemu-kvm from map access
Product: Red Hat Enterprise Linux 7 Reporter: Junxiang Li <junli>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: dzheng, fjin, junli, lhuang, lvrabec, mgrepl, mmalik, plautrba, ssekidde, yafu, yanqzhan
Target Milestone: rcKeywords: Automation, TestBlocker
Target Release: ---Flags: yafu: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-205.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:05:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1553085    

Description Junxiang Li 2018-06-19 07:04:22 UTC 
Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from map access


Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c296,c387 
Target Context                system_u:object_r:svirt_image_t:s0
Target Objects                Please check message
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-204.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
                              kernel-3.10.0-897.el7.x86_64
Alert Count                   1
First Seen                    <Unknown>
Last Seen                     2018-06-19 03:00:00 EDT
Local ID                      <Unknown>

Raw Audit Messages
type=AVC msg=audit(1529373654.545:13947): avc:  denied  { map } for  pid=20718 comm="qemu-kvm" path=2F6465762F687567657061676573324D2F6C6962766972742F71656D752F312D61766F6361646F2D76742D766D312F71656D755F6261636B5F6D656D2E5F6F626A656374735F72616D2D6E6F6465302E34315147524F202864656C6574656429 dev="hugetlbfs" ino=452846 scontext=system_u:system_r:svirt_t:s0:c296,c387 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file permissive=0

Hash: qemu-kvm,svirt_t,svirt_image_t,file,map
Comment 2 Milos Malik 2018-06-20 08:58:05 UTC 
Here is the same SELinux denial interpreted by ausearch -i:
----
type=AVC msg=audit(06/19/2018 04:00:54.545:13947) : avc:  denied  { map } for  pid=20718 comm=qemu-kvm path=/dev/hugepages2M/libvirt/qemu/1-avocado-vt-vm1/qemu_back_mem._objects_ram-node0.41QGRO (deleted) dev="hugetlbfs" ino=452846 scontext=system_u:system_r:svirt_t:s0:c296,c387 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file permissive=0 
----
Comment 3 Milos Malik 2018-06-20 09:15:20 UTC 
I wonder why is the deleted file labeled svirt_image_t. Is it really a virtual machine image?

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/virtualization_security_guide/#sect-Virtualization_Security_Guide-sVirt-Labels
Comment 4 Milos Malik 2018-06-20 09:16:55 UTC 
Sorry, I meant to write "Virtual Machine Shared Read/Write Content" instead of "Virtual Machine Image".
Comment 5 Junxiang Li 2018-06-20 09:44:01 UTC 
(In reply to Milos Malik from comment #3)
> I wonder why is the deleted file labeled svirt_image_t. Is it really a
> virtual machine image?
> 
>  *
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html-single/virtualization_security_guide/#sect-
> Virtualization_Security_Guide-sVirt-Labels

Sorry, I'm not sure.

Hi yafu,
Could you help answer this question?
Comment 6 Luyao Huang 2018-06-21 02:17:26 UTC 
This file is created by qemu-kvm (qemu will create a tmp file then mmap memory and then delete this file in this case) and the directory /dev/hugepages2M/libvirt/qemu/1-avocado-vt-vm1/ is created by libvirt and libvirt change this dir context to system_u:object_r:svirt_image_t:s0:cxxx,cxxx , that is why this file labeled svirt_image_t.

I checked this issue have already been fixed in Fedora (see bug 1514538) and here is the result of sesearch in F28:

# sesearch -A -s svirt_t -t svirt_image_t
allow svirt_t svirt_image_t:file map;
...
Comment 7 Yanqiu Zhang 2018-06-22 06:32:28 UTC 
Add keyword "TestBlocker", it blocks several libvirt "Guest NUMA memory binding" function tests. Please resolve ASAP.
Comment 12 errata-xmlrpc 2018-10-30 10:05:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111