Bug 2330756

Summary: SELinux prevent qemu to read /sys/devices/system/cpu/possible
Product: [Fedora] Fedora Reporter: Han Han <hhan>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 42CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-04 14:43:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Han Han 2024-12-06 09:24:18 UTC 
Version:
virt-install-4.1.0-9.fc42.noarch
libvirt-10.10.0-1.fc42.x86_64
qemu-9.2.0-0.3.rc1.fc42.x86_64
selinux-policy-41.26-1.fc42.noarch

Step:
Create a domain by virt-install:
# virt-install --import --disk /var/lib/libvirt/images/rhel-test.qcow2 -r 4000 --machine q35 -n rhel-test --osinfo generic

Get a SELinux denial:
type=AVC msg=audit(1733476544.855:6456): avc:  denied  { read } for  pid=369525 comm="qemu-system-x86" name="possible" dev="sysfs" ino=4677 scontext=system_u:system_r:svirt_t:s0:c199,c344 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

It turns out the file ino=4677 is /sys/devices/system/cpu/possible:
# fd possible /sys -x ls -i  
4124 /sys/devices/system/node/possible
4677 /sys/devices/system/cpu/possible

Addtional info:
Not reproduced on RHEL-10:
virt-install-5.0.0-1.el10.noarch
libvirt-10.10.0-1.el10.x86_64
qemu-kvm-9.1.0-7.el10.x86_64
selinux-policy-40.13.16-1.el10.noarch

Reproducible: Always



Expected Results:  
No AVC
Comment 1 Han Han 2024-12-06 11:17:05 UTC 
Cannot reproduce it on:
libvirt-10.10.0-1.fc42.x86_64
qemu-9.2.0-0.3.rc1.fc42.x86_64
selinux-policy-41.26-2.fc42.noarch
virt-install-5.0.0-1.fc42.noarch
Comment 2 Zdenek Pytela 2024-12-10 18:28:22 UTC 
The same ruleset is now in F42, RHEL9, RHEL10:

f42# sesearch -A -s svirt_t -t sysfs_t -c file -p read
allow virt_domain sysfs_t:file { getattr ioctl lock open read }; [ virt_use_usb ]:True
f42# getsebool virt_use_usb
virt_use_usb --> on

Perhaps the boolean value has changed?

Needs to be investigated anyway as this use case does not seem to be related to usb devices.
Comment 3 Han Han 2024-12-11 03:05:02 UTC 
yes (In reply to Zdenek Pytela from comment #2)
> The same ruleset is now in F42, RHEL9, RHEL10:
> 
> f42# sesearch -A -s svirt_t -t sysfs_t -c file -p read
> allow virt_domain sysfs_t:file { getattr ioctl lock open read }; [
> virt_use_usb ]:True
> f42# getsebool virt_use_usb
> virt_use_usb --> on
> 
> Perhaps the boolean value has changed?
> 
> Needs to be investigated anyway as this use case does not seem to be related
> to usb devices.

Yes. You are right.


(avc_detector)> setsebool virt_use_usb 0
(avc_detector)> virsh start rhel
Domain 'rhel' started

Result: 0 known AVCs and 1 new AVCs got.                                                                                                                                                                           
============================================================
See the logs at /tmp/tmp.4tccrh029m
(avc_detector)> cat /tmp/tmp.4tccrh029m 
!!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
Search string:  read  comm="qemu-system-x86" scontext=system_u:system_r:svirt_t:s0 tcontext=system_u:object_r:sysfs_t:s0  tclass=file 
Details: type=AVC msg=audit(1733885907.601:1162): avc:  denied  { read } for  pid=57620 comm="qemu-system-x86" name="possible" dev="sysfs" ino=4680 scontext=system_u:system_r:svirt_t:s0:c283,c579 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
Result: 0 known AVCs and 1 new AVCs got.
============================================================
(avc_detector)> virsh destroy rhel     
Domain 'rhel' destroyed

(avc_detector)> setsebool virt_use_usb 1
(avc_detector)> virsh start rhel                               
Domain 'rhel' started


Here, avc_detector is a tool that helps report the AVC denials happening during each cmd: https://gist.github.com/qiankehan/a8b43e02aa7aaad7c02862cc5564b811
Comment 4 Aoife Moloney 2025-02-26 13:19:32 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.