Bug 2223727

Summary: Allow access to /dev/udmabuf (dma_device_t) from libvirt qemu (svirt_t)
Product: Red Hat Enterprise Linux 9 Reporter: Jonathon Jongsma <jjongsma>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: NEW --- QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 9.3CC: lvrabec, mmalik, nknazeko, smitterl, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.3Flags: jjongsma: needinfo? (nknazeko)
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2032406    

Description Jonathon Jongsma 2023-07-18 16:34:08 UTC 
Bug 2032406 adds support for the virtio-gpu 'blob' feature to libvirt. This in turn requires qemu to access /dev/udmabuf. selinux prevents access to this device.

I get the following AVC messages when running in permissive mode:

time->Tue Jul 18 11:29:31 2023
type=PROCTITLE msg=audit(1689697771.305:3860): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D76647061626C6F636B2D746573742C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261
type=SYSCALL msg=audit(1689697771.305:3860): arch=c000003e syscall=257 success=yes exit=33 a0=ffffff9c a1=55fe1ab9bda6 a2=2 a3=0 items=0 ppid=1 pid=267438 auid=21811 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=25 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 key=(null)
type=AVC msg=audit(1689697771.305:3860): avc:  denied  { open } for  pid=267438 comm="qemu-kvm" path="/dev/udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1689697771.305:3860): avc:  denied  { read write } for  pid=267438 comm="qemu-kvm" name="udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1
Comment 1 Nikola Knazekova 2023-07-27 17:36:02 UTC 
Hi Jonathon,

here is PR with the fix: https://github.com/fedora-selinux/selinux-policy/pull/1804