Bug 2169944

Summary: SELinux is preventing /usr/libexec/qemu-kvm from write access on the sock_file native
Product: Red Hat Enterprise Linux 9 Reporter: Lili Zhu <lizhu>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED MIGRATED QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.2CC: berrange, lmen, lvrabec, mmalik, xuzhang, yafu, zhguo, zpytela
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: 9.3   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 15:14:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lili Zhu 2023-02-15 07:57:07 UTC 
Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from write access on the sock_file native

Version-Release number of selected component (if applicable):
selinux-policy-38.1.5-1.el9.noarch
libvirt-9.0.0-3.el9.x86_64
qemu-kvm-7.2.0-6.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. define a VM with non-root user
$ virsh list --all
 Id   Name             State
--------------------------------
 1    avocado-vt-vm1   running

2. check the VM audio related definition
...
   <graphics type='vnc' port='5900' autoport='yes' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
    <sound model='ich9'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <audio id='1' type='pulseaudio' serverName='/run/user/1000/pulse/native'/>
...

3. start the VM
$ virsh start avocado-vt-vm1 
error: Failed to start domain 'avocado-vt-vm1'
error: internal error: process exited while connecting to monitor: pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

4. solve the issues mentioned by setroubleshoot
# setsebool -P virt_use_xserver 1
# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm
# semodule -X 300 -i my-qemukvm.pp

5. VM can be started
$ virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started

Actual results:
VM can not be started if not solving the issues mentioned by selinux.

Expected results:
VM can not be started without any selinux settings

Additional info:
VM can be started without any selinux settings on RHEL9.0:
https://bugzilla.redhat.com/show_bug.cgi?id=1997725#c16
Comment 1 Lili Zhu 2023-02-15 07:58:08 UTC 
Fix a typo in description:
Expected results:
VM can be started without any selinux settings
Comment 2 Milos Malik 2023-02-15 08:05:15 UTC 
Please collect the SELinux denials which appear during the scenario and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.
Comment 3 Lili Zhu 2023-02-15 08:14:19 UTC 
(In reply to Milos Malik from comment #2)
> Please collect the SELinux denials which appear during the scenario and
> attach them here:
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> 
> Thank you.

Sorry, forgot
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(02/15/2023 00:23:00.763:401) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:23:00.763:401) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7ffe883ab280 a2=0x6e a3=0x7ffe883ab214 items=0 ppid=2381 pid=8476 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c522,c852 key=(null) 
type=AVC msg=audit(02/15/2023 00:23:00.763:401) : avc:  denied  { write } for  pid=8476 comm=qemu-kvm name=native dev="tmpfs" ino=37 scontext=unconfined_u:unconfined_r:svirt_t:s0:c522,c852 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:29:16.348:411) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:29:16.348:411) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7ffd8febb600 a2=0x6e a3=0x7ffd8febb594 items=0 ppid=2381 pid=8665 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c374,c452 key=(null) 
type=AVC msg=audit(02/15/2023 00:29:16.348:411) : avc:  denied  { connectto } for  pid=8665 comm=qemu-kvm path=/run/user/1000/pulse/native scontext=unconfined_u:unconfined_r:svirt_t:s0:c374,c452 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:29:28.549:421) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:29:28.549:421) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7ffd573cb5c0 a2=0x6e a3=0x7ffd573cb554 items=0 ppid=2381 pid=8758 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c798,c975 key=(null) 
type=AVC msg=audit(02/15/2023 00:29:28.549:421) : avc:  denied  { connectto } for  pid=8758 comm=qemu-kvm path=/run/user/1000/pulse/native scontext=unconfined_u:unconfined_r:svirt_t:s0:c798,c975 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:30:03.075:434) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:30:03.075:434) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7fff226265d0 a2=0x6e a3=0x7fff22626564 items=0 ppid=2381 pid=8923 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c627,c843 key=(null) 
type=AVC msg=audit(02/15/2023 00:30:03.075:434) : avc:  denied  { connectto } for  pid=8923 comm=qemu-kvm path=/run/user/1000/pulse/native scontext=unconfined_u:unconfined_r:svirt_t:s0:c627,c843 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:484) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:484) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001980 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:484) : avc:  denied  { read } for  pid=9225 comm=threaded-ml name=cookie dev="dm-2" ino=402653328 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:485) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:485) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001c20 a2=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:485) : avc:  denied  { read } for  pid=9225 comm=threaded-ml name=pulse dev="dm-2" ino=402653327 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:486) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:486) : arch=x86_64 syscall=rmdir success=no exit=EACCES(Permission denied) a0=0x7ff1e8001c20 a1=0x7ff1e8001c20 a2=0x0 a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:486) : avc:  denied  { write } for  pid=9225 comm=threaded-ml name=.config dev="dm-2" ino=135 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:487) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:487) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001910 a2=O_RDWR|O_CREAT|O_NOCTTY|O_CLOEXEC a3=0x180 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:487) : avc:  denied  { read write } for  pid=9225 comm=threaded-ml name=cookie dev="dm-2" ino=402653328 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:488) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:488) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001910 a2=O_RDONLY a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:488) : avc:  denied  { read } for  pid=9225 comm=threaded-ml name=cookie dev="dm-2" ino=402653328 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file permissive=0