Bug 2063612

Summary: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t
Product: Red Hat Enterprise Linux 9 Reporter: Han Han <hhan>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: fjin, lvrabec, mmalik, pgm-rhel-tools, pvlasin, ssekidde, xiaohli, xuzhang, zpytela
Target Milestone: rcKeywords: TestBlocker, Triaged
Target Release: 9.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.29-1.el9_0 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2070569 (view as bug list) Environment:
Last Closed: 2022-05-17 15:50:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2070569    
Deadline: 2022-03-29   

Description Han Han 2022-03-14 02:59:17 UTC 
Description of problem:
As subject

Version-Release number of selected component (if applicable):
libvirt-8.0.0-6.el9.x86_64
selinux-policy-34.1.27-1.el9.noarch
qemu-kvm-6.2.0-11.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare hosts with rmda network
2. Start an VM
3. Migrate it to another host:
# virsh migrate --live --migrateuri rdma://192.168.100.4 test --listen-address 0.0.0.0 qemu+tls://root@XXXX/system --verbose --p2p

error: internal error: unable to execute QEMU command 'migrate': RDMA ERROR: result not equal to event_addr_resolved RDMA_CM_EVENT_ADDR_ERROR

Actual results:
The selinux log from src host:
Mar 13 22:48:02 dell-per740-03 setroubleshoot[192705]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t. For complete SELinux messages run: sealert -l 5697551a-cb70-4a3d-b3f5-afbb9bba6580
Mar 13 22:48:02 dell-per740-03 setroubleshoot[192705]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed create access on netlink_rdma_socket labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012

The selinux log from dest host:
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t. For complete SELinux messages run: sealert -l 33434fea-bdc7-4e2b-9ff7-2963990771b2
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed create access on netlink_rdma_socket labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t. For complete SELinux messages run: sealert -l 33434fea-bdc7-4e2b-9ff7-2963990771b2
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed create access on netlink_rdma_socket labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012


Note: If the selinux is permissive on both hosts, the migration could pass.


Expected results:
No selinux denials.

Additional info:
Comment 3 Han Han 2022-03-14 03:25:28 UTC 
Update: The error is still there after `setenforce 0` on both hosts.
Comment 4 Zdenek Pytela 2022-03-14 14:11:38 UTC 
Han Han,

Please attach audit log and the output of the following command:

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Apart from the audited denials, is there any problem with the service as such?
Can you isolate with which version of livbirt, qemu, or other library this started to happen?
Comment 5 Fangge Jin 2022-03-15 01:28:27 UTC 
See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
Comment 6 Han Han 2022-03-15 02:13:34 UTC 
(In reply to Zdenek Pytela from comment #4)
> Han Han,
> 
> Please attach audit log and the output of the following command:
> 
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:740) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:740) : arch=x86_64 syscall=socket success=yes exit=24 a0=netlink a1=SOCK_RAW a2=hmp a3=0x7f384033faa0 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:740) : avc:  denied  { create } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1 
----
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:741) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:741) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x18 a1=SOL_SOCKET a2=SO_SNDBUF a3=0x7ffd3ddebdf8 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:741) : avc:  denied  { setopt } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1 
----
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:742) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:742) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x18 a1=0x556298c870a0 a2=0xc a3=0x20 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:742) : avc:  denied  { bind } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1 
----
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:743) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SOCKADDR msg=audit(03/14/2022 22:06:18.065:743) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=1338017757 } 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:743) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x18 a1=0x7ffd3ddebe44 a2=0x7ffd3ddebe40 a3=0x20 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:743) : avc:  denied  { getattr } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1
> 
> Apart from the audited denials, is there any problem with the service as
> such?
Yes. The error of enforcing mode and permissive mode are different. That indicates SELinux prevents some process or service:
enforcing mode:
➜  ~ virsh migrate --live --migrateuri rdma://192.168.128.10 test --listen-address 192.168.128.10 qemu+ssh://root.lab.eng.bos.redhat.com/system --verbose --p2p
error: internal error: unable to execute QEMU command 'migrate-incoming': RDMA ERROR: Error: could not rdma_bind_addr!

permissive mode:
➜  ~ virsh migrate --live --migrateuri rdma://192.168.128.10 test --listen-address 192.168.128.10 qemu+ssh://root.lab.eng.bos.redhat.com/system --verbose --p2p
error: operation failed: migration out job: unexpectedly failed

> Can you isolate with which version of livbirt, qemu, or other library this
> started to happen?
The avc denial starts not later than selinux-policy-3.14.3-41.el8.noarch libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64  qemu-kvm-4.2.0-17.module+el8.2.0+6141+0f540f16.x86_64 (https://bugzilla.redhat.com/show_bug.cgi?id=1822518)
I am not sure if any earlier versions are affected
Comment 7 Zdenek Pytela 2022-03-17 15:40:48 UTC 
Han Han,

If you think this problem qualifies for an exception, please put down justification and we will process is further.

Otherwise I'd target this bz to RHEL 9.1.

I also spotted RHEL 8 packages referenced here:
> The avc denial starts not later than selinux-policy-3.14.3-41.el8.noarch libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64
> qemu-kvm-4.2.0-17.module+el8.2.0+6141+0f540f16.x86_64 (https://bugzilla.redhat.com/show_bug.cgi?id=1822518)

Not sure if it matters.


Fangge Jin: 
> See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
Does this still mean support for the rdma socket should be allowed because there are benefits?
Comment 8 Fangge Jin 2022-03-18 02:26:33 UTC 
(In reply to Zdenek Pytela from comment #7)

> Fangge Jin: 
> > See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
> Does this still mean support for the rdma socket should be allowed because
> there are benefits?
I'm not sure, maybe we can wait for the conclusion of Bug 2063615 - Fail to migate wia RDMA uri: ERROR: result not equal to event_addr_resolved RDMA_CM_EVENT_ADDR_ERROR, then decide what to do with this bug
Comment 12 Zdenek Pytela 2022-03-28 08:39:21 UTC 
(In reply to Fangge Jin from comment #8)
> (In reply to Zdenek Pytela from comment #7)
> 
> > Fangge Jin: 
> > > See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
> > Does this still mean support for the rdma socket should be allowed because
> > there are benefits?
> I'm not sure, maybe we can wait for the conclusion of Bug 2063615 - Fail to
> migate wia RDMA uri: ERROR: result not equal to event_addr_resolved
> RDMA_CM_EVENT_ADDR_ERROR, then decide what to do with this bug

Given this information, can we remove the TestBlocker keyword?
Comment 13 Han Han 2022-03-30 03:59:01 UTC 
T(In reply to Zdenek Pytela from comment #12)
> (In reply to Fangge Jin from comment #8)
> > (In reply to Zdenek Pytela from comment #7)
> > 
> > > Fangge Jin: 
> > > > See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
> > > Does this still mean support for the rdma socket should be allowed because
> > > there are benefits?
> > I'm not sure, maybe we can wait for the conclusion of Bug 2063615 - Fail to
> > migate wia RDMA uri: ERROR: result not equal to event_addr_resolved
> > RDMA_CM_EVENT_ADDR_ERROR, then decide what to do with this bug
> 
> Given this information, can we remove the TestBlocker keyword?

I disagree with this idea.
From https://bugzilla.redhat.com/show_bug.cgi?id=2063615#c2 , then errors are different when SELinux is enforcing or permissive.
It indicates SELinux also prevents the RDMA migration. So it could be the TestBlocker for RMDA.
Comment 25 Zdenek Pytela 2022-04-05 13:23:32 UTC 
*** Bug 2070569 has been marked as a duplicate of this bug. ***
Comment 27 errata-xmlrpc 2022-05-17 15:50:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918