Bug 1812427
| Summary: | Failed to start guest with virtiofs filesystem device if starting libvirtd foreground | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | yafu <yafu> |
| Component: | libvirt | Assignee: | Virtualization Maintenance <virt-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Lili Zhu <lizhu> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 9.0 | CC: | jtomko, lmen, lvrabec, mmalik, plautrba, ssekidde, virt-maint, xuzhang |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-11 07:26:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, I'd like to ask if this is a common scenario in real deployment or if it is for testing purposes only: > 1.Start libvirtd foreground: > #systemctl stop libvirtd > #systemctl stop virtlogd > #virtlogd -d > #libvirtd -d Altough there is no process name in the denial: > type=AVC msg=audit(1583920682.174:161643): avc: denied { connectto } for pid=3030821 comm="qemu-kvm" path="/var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c173,c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c173,c1023 tclass=unix_stream_socket permissive=0 the content clearly indicates it is a service in the unconfined_t domain which is assigned to processes running from the console, and this is not a problem to be addressed in selinux-policy. (In reply to Zdenek Pytela from comment #2) > Hi, > > I'd like to ask if this is a common scenario in real deployment or if it is > for testing purposes only: There is layer product using this scenario not just for testing. > > > 1.Start libvirtd foreground: > > #systemctl stop libvirtd > > #systemctl stop virtlogd > > #virtlogd -d > > #libvirtd -d > > Altough there is no process name in the denial: > > type=AVC msg=audit(1583920682.174:161643): avc: denied { connectto } for pid=3030821 comm="qemu-kvm" path="/var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c173,c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c173,c1023 tclass=unix_stream_socket permissive=0 > > the content clearly indicates it is a service in the unconfined_t domain > which is assigned to processes running from the console, and this is not a > problem to be addressed in selinux-policy. Thanks for your suggestion. I will change the component to libvirt. Bulk update: Move RHEL-AV bugs to RHEL9. If necessary to resolve in RHEL8, then clone to the current RHEL8 release. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |
Description of problem: Start libvirtd foreground, then start a guest with virtiofs device: # virsh start vm1 error: Failed to start domain vm1 error: internal error: process exited while connecting to monitor: 2020-03-11T09:58:02.174949Z qemu-kvm: -chardev socket,id=chr-vu-ua-1035e984-8238-46e1-bf56-b546246e1a39,path=/var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock: Failed to connect socket /var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock: Permission denied Version-Release number of selected component (if applicable): libvirt-6.0.0-9.el8.x86_64 qemu-kvm-4.2.0-13.module+el8.2.0+5898+fb4bceae.x86_64 selinux-policy-3.14.3-40.el8.noarch How reproducible: 100% Steps to Reproduce: 1.Start libvirtd foreground: #systemctl stop libvirtd #systemctl stop virtlogd #virtlogd -d #libvirtd -d 2.Prepare a guest with virtiofs filesystem device: #virsh edit vm1 ... <memoryBacking> <hugepages> <page size='2048' unit='KiB'/> </hugepages> <access mode='shared'/> </memoryBacking> ... <cpu mode='host-model' check='partial'> <numa> <cell id='0' cpus='0-7' memory='2097152' unit='KiB' memAccess='shared'/> </numa> </cpu> ... <device> ... <filesystem type='mount' accessmode='passthrough'> <driver type='virtiofs' queue='1024'/> <binary path='/usr/libexec/virtiofsd' xattr='on'> <cache mode='always'/> <lock posix='on' flock='on'/> </binary> <source dir='/path'/> <target dir='mount_tag'/> <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/> </filesystem> ... </device> 3.Start guest: #virsh start vm1 error: Failed to start domain vm1 error: internal error: process exited while connecting to monitor: 2020-03-11T09:58:02.174949Z qemu-kvm: -chardev socket,id=chr-vu-ua-1035e984-8238-46e1-bf56-b546246e1a39,path=/var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock: Failed to connect socket /var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock: Permission denied Actual results: Expected results: qemu-kvm permission denied when connecting to the virtiofsd.sock if starting libvirtd foreground Additional info: 1.Check syslog: SELinux is preventing qemu-kvm from connectto access on the unix_stream_socket /var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock. For complete SELinux messages run: sealert -l 635d00e4-cafe-47c0-94f2-bd07a72d4e34 2.# ausearch -m AVC -ts boot | grep -i qemu-kvm type=AVC msg=audit(1583920682.174:161643): avc: denied { connectto } for pid=3030821 comm="qemu-kvm" path="/var/lib/libvirt/qemu/domain-6-vm1/ua-1035e984-8238-46e1-bf56-b546246e1a39-virtiofsd.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c173,c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c173,c1023 tclass=unix_stream_socket permissive=0