Bug 1732500
| Summary: | SELinux denies qemu-kvm { search } of /proc when using TCG instead of KVM | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Katerina Koukiou <kkoukiou> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | berrange, lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-13.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:12:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Description of problem: When running guests with TCG instead of KVM, I can see in the journal the following avc denials avc: denied { search } for pid=6542 comm="qemu-kvm" name="1636" dev="proc" ino=33592 scontext=system_u:system_r:svirt_tcg_t:s0:c638,c665 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-3.14.3-8.el8.noarch qemu-kvm-common-2.12.0-77.module+el8.1.0+3382+49219945.x86_64 How reproducible: Always Steps to Reproduce: 1. modprobe -r kvm_intel && modprobe -r kvm_amd && modprobe -r kvm 2. Run a guest with virt-install like, virt-install --connect qemu:///system --name test --os-variant cirros0.4.0 --memory 256 --quiet --disk /var/lib/libvirt/images/example.img,device=disk --noautoconsole --import --graphics spice,listen=127.0.0.1 --graphics vnc,listen=127.0.0.1 3. See avc denial in the journal Actual results: There is already existing rule for this, but not for TCG. See # echo "avc: denied { search } for pid=6542 comm="^Cmu-kvm" name="1636" dev="proc" ino=33592 scontext=system_u:system_r:svirt_tcg_t:s0:c638,c665 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0" | audit2allow #============= svirt_tcg_t ============== #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # mlsconstrain dir { ioctl read lock search } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED # Possible cause is the source level (s0:c638,c665) and target level (s0-s0:c0.c1023) are different. allow svirt_tcg_t virtd_t:dir search; But replacing svirt_tcg_t with svirt_t would whitelist it: # echo "avc: denied { search } for pid=6542 comm="qemu-kvm" name="1636" dev="proc" ino=33592 scontext=system_u:system_r:svirt_t:s0:c638,c665 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=0" | audit2allow #============= svirt_t ============== #!!!! This avc has a dontaudit rule in the current policy allow svirt_t virtd_t:dir search; Expected results: The above rule should be extended, to include also svirt_tcg_t.