Bug 1584011 - vhost-vsock cannot be labeled by libvirt
Summary: vhost-vsock cannot be labeled by libvirt
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
: 1591105 (view as bug list)
Depends On:
Blocks: 1291851
TreeView+ depends on / blocked
Reported: 2018-05-30 07:24 UTC by Ján Tomko
Modified: 2018-10-30 10:05 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-30 10:04:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1591105 None CLOSED SELINUX prevent qemu-kvm process started by libvirt to read/write /dev/vhost-vsock 2019-06-15 08:24:57 UTC
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:05:17 UTC

Internal Links: 1591105

Description Ján Tomko 2018-05-30 07:24:41 UTC
Description of problem:
Libvirt's new vhost-vsock device support for QEMU does not work with SELinux.

Version-Release number of selected component (if applicable):
libvirt v4.4.0 (to be released in a week - tested by running 'make rpm' in libvirt git)

Steps to Reproduce:
1. Start a machine with a <vsock/> device with SELinux enforcing.
Libvirt calls:
open("/dev/vhost-vsock", O_RDWR)
then gives the file descriptor to QEMU via O_CLOEXEC.

Actual results:
*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that qemu-kvm should be allowed read write access on the vhost-vsock chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm
# semodule -i my-qemukvm.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c605,c870
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/vhost-vsock [ chr_file ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           qemu-kvm-rhev-2.9.0-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     winston
Platform                      Linux winston 3.10.0-783.el7.x86_64 #1 SMP Tue Nov
                              14 06:28:36 EST 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2018-05-21 16:53:56 CEST
Last Seen                     2018-05-21 16:53:56 CEST
Local ID                      e14e2b20-9618-4afa-9282-0818d7136d9a

Raw Audit Messages
type=AVC msg=audit(1526914436.107:17377): avc:  denied  { read write } for  pid=16200 comm="qemu-kvm" path="/dev/vhost-vsock" dev="devtmpfs" ino=583662 scontext=system_u:system_r:svirt_t:s0:c605,c870 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

type=SYSCALL msg=audit(1526914436.107:17377): arch=x86_64 syscall=execve success=yes exit=0 a0=7fe9a0010bf0 a1=7fe9a0010160 a2=7fe9a001f3d0 a3=8 items=0 ppid=1 pid=16200 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c605,c870 key=(null)

Hash: qemu-kvm,svirt_t,device_t,chr_file,read,write

Expected results:
No AVC denial.

Additional info:
Libvirt cannot use the per-domain label on the file descriptor, because the vhost-vsock device can be used by multiple domains.

Comment 1 Lukas Vrabec 2018-06-03 16:03:06 UTC
Fix from Fedora:

commit cbbf81af2e284b667d10052d76b4f1d9c183e82a
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Apr 18 15:33:39 2018 +0200

    Label /dev/vhost-vsock char device as vhost_device_t

Comment 3 Lukas Vrabec 2018-06-25 08:51:15 UTC
*** Bug 1591105 has been marked as a duplicate of this bug. ***

Comment 6 errata-xmlrpc 2018-10-30 10:04:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.