Bug 2014390

Summary: AVC denied when start/destroy vm with lock_manager=lockd
Product: Red Hat Enterprise Linux 9 Reporter: Fangge Jin <fjin>
Component: libvirtAssignee: khanicov
Status: CLOSED DUPLICATE QA Contact: Han Han <hhan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: hhan, jsuchane, lmen, virt-maint, xuzhang
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-04 16:08:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fangge Jin 2021-10-15 06:35:36 UTC 
Description of problem:
Set lock_manager='lockd' for qemu, vm can't start with error:
# virsh start guest1
error: Failed to start domain 'guest1'
error: internal error: Process exited prior to exec: libvirt: XML-RPC error : Failed to connect socket to '/run/libvirt/virtlockd-sock': Permission denied


Version-Release number of selected component (if applicable):
libvirt-client-7.6.0-5.module+el8.5.0+12933+58cb48a1.x86_64
selinux-policy-3.14.3-80.el8.noarch


How reproducible:
100%

Steps to Reproduce:
1. Set lock_manager to lockd for qemu:
# grep -Ev "^$|^#" /etc/libvirt/qemu.conf 
lock_manager = "lockd"

# grep -Ev "^$|^#" /etc/libvirt/qemu-lockd.conf 
auto_disk_leases = 1
require_lease_for_disks = 1
file_lockspace_dir = "/var/lib/libvirt/lockd/files"

# systemctl restart virtlockd; systemctl restart libvirtd

2. Try to start a vm:
# virsh start guest1
error: Failed to start domain 'guest1'
error: internal error: Process exited prior to exec: libvirt: XML-RPC error : Failed to connect socket to '/run/libvirt/virtlockd-sock': Permission denied

3. Check audit log:
# ausearch -m avc 
----
time->Fri Oct 15 02:17:43 2021
type=PROCTITLE msg=audit(1634278663.494:2039): proctitle=2F7573722F7362696E2F6C69627669727464002D2D74696D656F757400313230
type=SYSCALL msg=audit(1634278663.494:2039): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f1b225c2000 a2=6e a3=1 items=0 ppid=62389 pid=62390 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-worker" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1634278663.494:2039): avc:  denied  { connectto } for  pid=62390 comm="rpc-worker" path="/run/libvirt/virtlockd-sock" scontext=system_u:system_r:svirt_t:s0:c283,c415 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


4. Allow the access by:
# ausearch -c 'rpc-worker' --raw | audit2allow -M my-rpcworker
# semodule -X 300 -i my-rpcworker.pp

5. Start vm:
# virsh start guest1
Domain 'guest1' started

6. Destroy vm:
# virsh destroy guest1
Domain 'guest1' destroyed

There is new avc denied info when destoying vm:
----
time->Fri Oct 15 02:25:15 2021
type=PROCTITLE msg=audit(1634279115.270:2213): proctitle="/usr/sbin/virtlockd"
type=SYSCALL msg=audit(1634279115.270:2213): arch=c000003e syscall=62 success=no exit=-1 a0=f6be a1=f a2=55d20227c298 a3=55d20224de40 items=0 ppid=1 pid=63042 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlockd" exe="/usr/sbin/virtlockd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1634279115.270:2213): avc:  denied  { kill } for  pid=63042 comm="virtlockd" capability=5  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability permissive=0


Actual results:


Expected results:


Additional info:
Comment 1 Jaroslav Suchanek 2021-11-04 15:35:46 UTC 
Also described here: https://bugzilla.redhat.com/show_bug.cgi?id=1824722#c1
Comment 2 Jaroslav Suchanek 2021-11-04 15:43:33 UTC 
(In reply to Jaroslav Suchanek from comment #1)
> Also described here: https://bugzilla.redhat.com/show_bug.cgi?id=1824722#c1

Please disregard this, it's not related.
Comment 3 Jaroslav Suchanek 2021-11-04 16:08:25 UTC 

*** This bug has been marked as a duplicate of bug 1792713 ***