Bug 1625613

Summary: SELinux is preventing /usr/libexec/qemu-kvm from ioctl/open/read/write/map/mem/execmem access on the chr_file /dev/dri/renderD128
Product: Red Hat Enterprise Linux 7 Reporter: yafu <yafu>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: fjin, kraxel, lmiksik, lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, yafu, zhguo
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:09:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1654309, 1564153    

Description yafu 2018-09-05 11:13:06 UTC
Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-223.el7.noarch
libvirt-4.5.0-8.el7.x86_64
qemu-kvm-rhev-2.12.0-13.el7.x86_64
3.10.0-940.el7.x86_64


How reproducible:
100%


Steps to Reproduce:
1.Create mdev device;

2.Define a guest with spice gl:
#virsh edit rhel7.6
<graphics type='spice'>
      <listen type='none'/>
      <gl enable='yes' rendernode='/dev/dri/renderD128'/>
</graphics>

3.Start the guest:
#virsh start rhel7.6
error: Failed to start domain rhel7.6
error: internal error: qemu unexpectedly closed the monitor: 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available
2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node for SPICE GL

3.Check the syslog:
#cat /var/log/messages
Sep  5 19:09:40 localhost python: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128.

Actual results:
Guest failed to start

Expected results:
Guest should start successfully


Additional info:
1.Audit messages:
type=AVC msg=audit(1536145479.767:4598): avc:  denied  { open } for  pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 scontext=system_u:system_r:svirt_t:s0:c73,c409 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536145479.769:4599): avc:  denied  { ioctl } for  pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Comment 4 yafu 2018-09-06 06:35:24 UTC
(In reply to yafu from comment #0)
> Description of problem:
> SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the
> chr_file /dev/dri/renderD128
> 
> Version-Release number of selected component (if applicable):
> selinux-policy-3.13.1-223.el7.noarch
> libvirt-4.5.0-8.el7.x86_64
> qemu-kvm-rhev-2.12.0-13.el7.x86_64
> 3.10.0-940.el7.x86_64
> 
> 
> How reproducible:
> 100%
> 
> 
> Steps to Reproduce:
> 1.Create mdev device;
> 
> 2.Define a guest with spice gl:
> #virsh edit rhel7.6
> <graphics type='spice'>
>       <listen type='none'/>
>       <gl enable='yes' rendernode='/dev/dri/renderD128'/>
> </graphics>
> 
> 3.Start the guest:
> #virsh start rhel7.6
> error: Failed to start domain rhel7.6
> error: internal error: qemu unexpectedly closed the monitor:
> 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available
> 2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node
> for SPICE GL
> 
> 3.Check the syslog:
> #cat /var/log/messages
> Sep  5 19:09:40 localhost python: SELinux is preventing
> /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128.
> 
> Actual results:
> Guest failed to start
> 
> Expected results:
> Guest should start successfully
> 
> 
> Additional info:
> 1.Audit messages:
> type=AVC msg=audit(1536145479.767:4598): avc:  denied  { open } for 
> pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222
> scontext=system_u:system_r:svirt_t:s0:c73,c409
> tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
> type=AVC msg=audit(1536145479.769:4599): avc:  denied  { ioctl } for 
> pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222
> ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409
> tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Sorry for wrong paste of audit message. The right audit message is:
type=AVC msg=audit(1536215083.599:708): avc:  denied  { read write } for  pid=18806 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=145623 scontext=system_u:system_r:svirt_t:s0:c39,c589 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0



And if i set selinux staus as permissive, the selinux message in syslog is as follows:
# cat /var/log/messages  | grep -i setroubleshoot
Sep  6 14:30:54 localhost dbus[4505]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Sep  6 14:30:54 localhost dbus[4505]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Sep  6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77
Sep  6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77
Sep  6 14:30:54 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128
Sep  6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4
Sep  6 14:30:55 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128
Sep  6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4
Sep  6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from using the execmem access on a process. For complete SELinux messages run: sealert -l 40bb2b0e-9b4f-4f0d-a0bf-3ef32b67daa0

The audit message is as follows:
type=AVC msg=audit(1536215454.006:770): avc:  denied  { read write } for  pid=19707 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.006:770): avc:  denied  { open } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.008:771): avc:  denied  { ioctl } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.014:772): avc:  denied  { ioctl } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6475 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.017:773): avc:  denied  { execmem } for  pid=19707 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:system_r:svirt_t:s0:c674,c923 tclass=process permissive=1
type=AVC msg=audit(1536215454.293:779): avc:  denied  { map } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.293:779): avc:  denied  { read write } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Comment 5 Milos Malik 2018-09-06 08:09:20 UTC
The denial which contains { execmem } can be solved by enabling the virt_use_execmem boolean. The rest of SELinux denials needs to fixed in new build of selinux-policy.

Comment 11 errata-xmlrpc 2018-10-30 10:09:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111