Red Hat Bugzilla – Bug 1533183
SELinux is preventing qemu-kvm from access access on the infiniband_pkey Unknown
Last modified: 2018-04-10 08:48:22 EDT
Description of problem: SELinux is preventing qemu-kvm from access access on the infiniband_pkey Unknown Version-Release number of selected component (if applicable): selinux-policy-3.13.1-184.el7.noarch libvirt-3.9.0-7.el7.x86_64 qemu-kvm-rhev-2.10.0-15.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.prepare a guest on source host # virsh list --all Id Name State ---------------------------------------------------- 7 rhel74 running 2.set the link layer of both hosts as inifiniband # ibstat CA 'mlx4_0' CA type: MT4103 Number of ports: 2 Firmware version: 2.40.7000 Hardware version: 0 Node GUID: 0xe41d2d0300482610 System image GUID: 0xe41d2d0300482613 Port 1: State: Active Physical state: LinkUp Rate: 56 Base lid: 1 LMC: 0 SM lid: 2 Capability mask: 0x0259486a Port GUID: 0xe41d2d0300482611 Link layer: InfiniBand Port 2: State: Initializing Physical state: LinkUp Rate: 56 Base lid: 0 LMC: 0 SM lid: 0 Capability mask: 0x02594868 Port GUID: 0xe41d2d0300482612 Link layer: InfiniBand 3. check the mode of selinux # getenforce Enforcing 4.migrate the guest to target host # virsh migrate --live --migrateuri rdma://targetIP rhel74 --listen-address 0.0.0.0 qemu+ssh://targetIP/system --verbose Actual results: migration failed, it reports: error: internal error: unable to execute QEMU command 'migrate': RDMA ERROR: rdma migration: error allocating qp! # sealert -l d1a1c3e4-a5eb-4b01-ade4-6ce2eaea9adb ****SELinux is preventing qemu-kvm from access access on the infiniband_pkey Unknown.**** ***** Plugin catchall (100. confidence) suggests ************************** If you believe that qemu-kvm should be allowed access access on the Unknown infiniband_pkey by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm # semodule -i my-qemukvm.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c337,c605 Target Context system_u:object_r:unlabeled_t:s0 Target Objects Unknown [ infiniband_pkey ] Source qemu-kvm Source Path qemu-kvm Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-184.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ***** Platform Linux ***** 3.10.0-814.el7.x86_64 #1 SMP Thu Dec 7 09:55:02 EST 2017 x86_64 x86_64 Alert Count 1 First Seen 2018-01-10 11:08:48 EST Last Seen 2018-01-10 11:08:48 EST Local ID d1a1c3e4-a5eb-4b01-ade4-6ce2eaea9adb Raw Audit Messages type=AVC msg=audit(1515600528.771:340): avc: denied { access } for pid=3374 comm="qemu-kvm" pkey=0xffff subnet_prefix=0:0:0:80fe:: scontext=system_u:system_r:svirt_t:s0:c337,c605 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_pkey Hash: qemu-kvm,svirt_t,unlabeled_t,infiniband_pkey,access Expected results: migration success. Additional info: 1. RDMA migration using infiniband link layer with selinux-policy-3.13.1-166.el7_4.7.noarch can success
After I generate a local policy module to allow this access. # ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm # semodule -i my-qemukvm.pp The migration could success.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763