Bug 1835909
| Summary: | [8.3 regression] avc: denied { read write } for comm="qemu-kvm" path="/dev/mapper/control | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Pitt <mpitt> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.3 | CC: | berrange, ddepaula, dyuan, hhan, lvrabec, mmalik, mrezanin, pasik, plautrba, ssekidde, yafu |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.3 | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-29 17:31:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Danilo, Has there any change been made recently in qemu or libvirt that requires access to /dev/mapper/control? Are you aware of such change? (In reply to Danilo Cesar Lemes de Paula from comment #2) > Are you aware of such change? qemu-pr-helper is using this device. Hello, another AVC on /dev/mapper/control:
Jul 5 23:55:32 hp-dl385g10-15 setroubleshoot[133559]: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file /dev/mapper/control. For complete SELinux messages run: sealert -l 1bebe53c-661b-40be-be50-6d7e0fb553dc
Jul 5 23:55:32 hp-dl385g10-15 platform-python[133559]: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file /dev/mapper/control.#012#012***** Plugin leaks (86.2 confidence) suggests *****************************#012#012If you want to ignore qemu-kvm trying to read write access the control chr_file, because you believe it should not need this access.#012Then you should report this as a bug. #012You can generate a local policy module to dontaudit this access.#012Do#012# ausearch -x /usr/libexec/qemu-kvm --raw | audit2allow -D -M my-qemu-kvm#012# semodule -X 300 -i my-qemu-kvm.pp#012#012***** Plugin catchall (14.7 confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed read write access on the control chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
type=AVC msg=audit(1594007728.748:547): avc: denied { read write } for pid=133543 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=23598 scontext=system_u:system_r:svirt_t:s0:c65,c755 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1594007728.748:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f9fd4053a30 a1=7f9fd405c810 a2=7f9fd4056700 a3=7f9ff92da343 items=0 ppid=1 pid=133543 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c65,c755 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"
Version:
libvirt-6.4.0-1.module+el8.3.0+6881+88468c00.x86_64
qemu-kvm-5.0.0-0.module+el8.3.0+6620+5d5e1420.x86_64
selinux-policy-3.14.3-48.el8.noarch
Steps:
Just start a VM
VM XML:
<domain type='kvm' id='3'>
<name>new</name>
<uuid>442bbb67-01ac-4329-9b4f-ca90b638da0b</uuid>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
<libosinfo:os id="http://fedoraproject.org/fedora/31"/>
</libosinfo:libosinfo>
</metadata>
<memory unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<vcpu placement='static'>2</vcpu>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type arch='x86_64' machine='pc-i440fx-rhel7.6.0'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<vmport state='off'/>
</features>
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>EPYC-IBPB</model>
<vendor>AMD</vendor>
<feature policy='require' name='x2apic'/>
<feature policy='require' name='tsc-deadline'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='tsc_adjust'/>
<feature policy='require' name='arch-capabilities'/>
<feature policy='require' name='xsaves'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='perfctr_core'/>
<feature policy='require' name='clzero'/>
<feature policy='require' name='virt-ssbd'/>
<feature policy='require' name='rdctl-no'/>
<feature policy='require' name='skip-l1dfl-vmentry'/>
<feature policy='require' name='mds-no'/>
<feature policy='require' name='pschange-mc-no'/>
<feature policy='disable' name='monitor'/>
<feature policy='disable' name='svm'/>
<feature policy='require' name='topoext'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/var/lib/libvirt/images/new.qcow2' index='1'/>
<backingStore/>
<target dev='vda' bus='virtio'/>
<alias name='virtio-disk0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
</disk>
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
<alias name='usb'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</controller>
<controller type='virtio-serial' index='0'>
<alias name='virtio-serial0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pci-root'>
<alias name='pci.0'/>
</controller>
<interface type='network'>
<mac address='52:54:00:92:3c:bc'/>
<source network='default' portid='784f8140-3dca-4233-a4aa-7ae67df3b458' bridge='virbr0'/>
<target dev='vnet0'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<serial type='pty'>
<source path='/dev/pts/5'/>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
<alias name='serial0'/>
</serial>
<console type='pty' tty='/dev/pts/5'>
<source path='/dev/pts/5'/>
<target type='serial' port='0'/>
<alias name='serial0'/>
</console>
<channel type='unix'>
<source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-3-new/org.qemu.guest_agent.0'/>
<target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
<alias name='channel0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
<alias name='channel1'/>
<address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
<input type='tablet' bus='usb'>
<alias name='input0'/>
<address type='usb' bus='0' port='1'/>
</input>
<input type='mouse' bus='ps2'>
<alias name='input1'/>
</input>
<input type='keyboard' bus='ps2'>
<alias name='input2'/>
</input>
<graphics type='spice'>
<listen type='none'/>
<image compression='off'/>
<gl enable='no'/>
</graphics>
<sound model='ich9'>
<alias name='sound0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</sound>
<video>
<model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'>
<acceleration accel3d='no'/>
</model>
<alias name='video0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>
<alias name='redir0'/>
<address type='usb' bus='0' port='2'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<alias name='redir1'/>
<address type='usb' bus='0' port='3'/>
</redirdev>
<memballoon model='virtio'>
<alias name='balloon0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0b' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<alias name='rng0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0c' function='0x0'/>
</rng>
</devices>
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_t:s0:c65,c755</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c65,c755</imagelabel>
</seclabel>
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+107:+107</label>
<imagelabel>+107:+107</imagelabel>
</seclabel>
</domain>
Please check the bug is really fixed or an another issue.
There is a difference: * comment#0 shows an SELinux denial which contains svirt_tcg_t in the source context * comment#9 shows an SELinux denial which contains svirt_t in the source context (In reply to Milos Malik from comment #10) > There is a difference: > * comment#0 shows an SELinux denial which contains svirt_tcg_t in the > source context > * comment#9 shows an SELinux denial which contains svirt_t in the source > context Thank you. I filed a new bug for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1854040 Closing as a dup of bz#1858260. For additional information refer to bz#1822522. *** This bug has been marked as a duplicate of bug 1858260 *** |
Description of problem: In a recent refresh of our cockpit rhel 8.3 CI test image, all libvirt related tests now run into a new SELinux policy violation: kernel: audit: type=1400 audit(1589437107.542:4): avc: denied { read write } for pid=128585 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=11500 scontext=system_u:system_r:svirt_tcg_t:s0:c43,c398 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0 Example journal: https://logs.cockpit-project.org/logs/pull-864-20200514-055447-c43ff2a7-rhel-8-3-cockpit-project-cockpit/TestMachines-testAutostart-rhel-8-3-127.0.0.2-2201-FAIL.log.gz Version-Release number of selected component (if applicable): libvirt-daemon-kvm-6.0.0-17.module+el8.3.0+6423+e4cb6418.x86_64 selinux-policy-3.14.3-43.el8