Bug 2035702
| Summary: | SELinux is preventing /usr/libexec/qemu-kvm from map access on the chr_file /dev/vhost-vdpa-0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | yafu <yafu> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | lvrabec, mmalik, ssekidde, yalzhang |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.21-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:50:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
These permissions are already allowed:
rhel9# sesearch -A -s svirt_t -t vhost_device_t -c chr_file
allow virt_domain vhost_device_t:chr_file { append getattr ioctl lock read write };
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
Description of problem: SELinux is preventing /usr/libexec/qemu-kvm from map access on the chr_file /dev/vhost-vdpa-0 Version-Release number of selected component (if applicable): selinux-policy-34.1.20-1.el9.noarch How reproducible: 100% Steps to Reproduce: 1.Create vdpa device: 1). load the kmod with the following commands: [user@host ~]# modprobe vdpa [user@host ~]# modprobe vhost_vdpa [user@host ~]# modprobe vdpa_sim [user@host ~]# modprobe vdpa_sim_net check the module is probed successfully: [user@host ~]# vdpa mgmtdev show vdpasim_net: supported_classes net 2). create vdpa device by vdpa tool: [user@host ~]# vdpa dev add name vdpa0 mgmtdev vdpasim_net [user@host ~]# ls -l /sys/bus/vdpa/devices total 0 lrwxrwxrwx. 1 root root 0 Aug 9 01:19 vdpa0 -> ../../../devices/vdpa0 2.Edit guest with vdpa device: #virsh edit r9 ... <interface type='vdpa'> <source dev='/dev/vhost-vdpa-0'/> </interface> ... 3.Start the guest: # date; virsh start r9 ; date Sun Dec 26 10:21:03 PM EST 2021 Domain 'r9' started Sun Dec 26 10:21:04 PM EST 2021 4.Check the syslog during guest booting: Dec 26 22:21:16 dell-per740xd-15 setroubleshoot[31404]: SELinux is preventing /usr/libexec/qemu-kvm from map access on the chr_file /dev/vhost-vdpa-0. For complete SELinux messages run: sealert -l ab58ed2a-51a8-48ae-8cce-a808bd6d0136 Dec 26 22:21:16 dell-per740xd-15 setroubleshoot[31404]: SELinux is preventing /usr/libexec/qemu-kvm from map access on the chr_file /dev/vhost-vdpa-0.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that qemu-kvm should be allowed map access on the vhost-vdpa-0 chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'CPU 0/KVM' --raw | audit2allow -M my-CPU0KVM#012# semodule -X 300 -i my-CPU0KVM.pp#012 5.Avc deny: time->Sun Dec 26 22:21:14 2021 type=PROCTITLE msg=audit(1640575274.465:1513): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D72392C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A22726177222C2266696C65223A222F type=SYSCALL msg=audit(1640575274.465:1513): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=2 a3=1 items=0 ppid=1 pid=31328 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=43505520302F4B564D exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c135,c969 key=(null) type=AVC msg=audit(1640575274.465:1513): avc: denied { map } for pid=31328 comm=43505520302F4B564D path="/dev/vhost-vdpa-0" dev="devtmpfs" ino=876 scontext=system_u:system_r:svirt_t:s0:c135,c969 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=0 Actual results: Expected results: No avc deny during booting guest with vdpa device. Additional info: