Bug 1625613
Summary: | SELinux is preventing /usr/libexec/qemu-kvm from ioctl/open/read/write/map/mem/execmem access on the chr_file /dev/dri/renderD128 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | yafu <yafu> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.6 | CC: | fjin, kraxel, lmiksik, lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, yafu, zhguo |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:09:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1564153, 1654309 |
Description
yafu
2018-09-05 11:13:06 UTC
(In reply to yafu from comment #0) > Description of problem: > SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the > chr_file /dev/dri/renderD128 > > Version-Release number of selected component (if applicable): > selinux-policy-3.13.1-223.el7.noarch > libvirt-4.5.0-8.el7.x86_64 > qemu-kvm-rhev-2.12.0-13.el7.x86_64 > 3.10.0-940.el7.x86_64 > > > How reproducible: > 100% > > > Steps to Reproduce: > 1.Create mdev device; > > 2.Define a guest with spice gl: > #virsh edit rhel7.6 > <graphics type='spice'> > <listen type='none'/> > <gl enable='yes' rendernode='/dev/dri/renderD128'/> > </graphics> > > 3.Start the guest: > #virsh start rhel7.6 > error: Failed to start domain rhel7.6 > error: internal error: qemu unexpectedly closed the monitor: > 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available > 2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node > for SPICE GL > > 3.Check the syslog: > #cat /var/log/messages > Sep 5 19:09:40 localhost python: SELinux is preventing > /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. > > Actual results: > Guest failed to start > > Expected results: > Guest should start successfully > > > Additional info: > 1.Audit messages: > type=AVC msg=audit(1536145479.767:4598): avc: denied { open } for > pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 > scontext=system_u:system_r:svirt_t:s0:c73,c409 > tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 > type=AVC msg=audit(1536145479.769:4599): avc: denied { ioctl } for > pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 > ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409 > tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 Sorry for wrong paste of audit message. The right audit message is: type=AVC msg=audit(1536215083.599:708): avc: denied { read write } for pid=18806 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=145623 scontext=system_u:system_r:svirt_t:s0:c39,c589 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 And if i set selinux staus as permissive, the selinux message in syslog is as follows: # cat /var/log/messages | grep -i setroubleshoot Sep 6 14:30:54 localhost dbus[4505]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Sep 6 14:30:54 localhost dbus[4505]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Sep 6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77 Sep 6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77 Sep 6 14:30:54 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128 Sep 6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4 Sep 6 14:30:55 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128 Sep 6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4 Sep 6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from using the execmem access on a process. For complete SELinux messages run: sealert -l 40bb2b0e-9b4f-4f0d-a0bf-3ef32b67daa0 The audit message is as follows: type=AVC msg=audit(1536215454.006:770): avc: denied { read write } for pid=19707 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.006:770): avc: denied { open } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.008:771): avc: denied { ioctl } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.014:772): avc: denied { ioctl } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6475 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.017:773): avc: denied { execmem } for pid=19707 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:system_r:svirt_t:s0:c674,c923 tclass=process permissive=1 type=AVC msg=audit(1536215454.293:779): avc: denied { map } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.293:779): avc: denied { read write } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 The denial which contains { execmem } can be solved by enabling the virt_use_execmem boolean. The rest of SELinux denials needs to fixed in new build of selinux-policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |