RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1584011 - vhost-vsock cannot be labeled by libvirt
Summary: vhost-vsock cannot be labeled by libvirt
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1591105 (view as bug list)
Depends On:
Blocks: 1291851
TreeView+ depends on / blocked
 
Reported: 2018-05-30 07:24 UTC by Ján Tomko
Modified: 2018-10-30 10:05 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:04:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1591105 0 urgent CLOSED SELINUX prevent qemu-kvm process started by libvirt to read/write /dev/vhost-vsock 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:05:17 UTC

Internal Links: 1591105

Description Ján Tomko 2018-05-30 07:24:41 UTC 
Description of problem:
Libvirt's new vhost-vsock device support for QEMU does not work with SELinux.

Version-Release number of selected component (if applicable):
libvirt v4.4.0 (to be released in a week - tested by running 'make rpm' in libvirt git)
selinux-policy-3.13.1-191.el7.noarch

Steps to Reproduce:
1. Start a machine with a <vsock/> device with SELinux enforcing.
Libvirt calls:
open("/dev/vhost-vsock", O_RDWR)
then gives the file descriptor to QEMU via O_CLOEXEC.

Actual results:
*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that qemu-kvm should be allowed read write access on the vhost-vsock chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm
# semodule -i my-qemukvm.pp


Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c605,c870
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/vhost-vsock [ chr_file ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           qemu-kvm-rhev-2.9.0-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     winston
Platform                      Linux winston 3.10.0-783.el7.x86_64 #1 SMP Tue Nov
                              14 06:28:36 EST 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2018-05-21 16:53:56 CEST
Last Seen                     2018-05-21 16:53:56 CEST
Local ID                      e14e2b20-9618-4afa-9282-0818d7136d9a

Raw Audit Messages
type=AVC msg=audit(1526914436.107:17377): avc:  denied  { read write } for  pid=16200 comm="qemu-kvm" path="/dev/vhost-vsock" dev="devtmpfs" ino=583662 scontext=system_u:system_r:svirt_t:s0:c605,c870 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1526914436.107:17377): arch=x86_64 syscall=execve success=yes exit=0 a0=7fe9a0010bf0 a1=7fe9a0010160 a2=7fe9a001f3d0 a3=8 items=0 ppid=1 pid=16200 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c605,c870 key=(null)

Hash: qemu-kvm,svirt_t,device_t,chr_file,read,write

Expected results:
No AVC denial.

Additional info:
Libvirt cannot use the per-domain label on the file descriptor, because the vhost-vsock device can be used by multiple domains.
Comment 1 Lukas Vrabec 2018-06-03 16:03:06 UTC 
Fix from Fedora:

commit cbbf81af2e284b667d10052d76b4f1d9c183e82a
Author: Lukas Vrabec <lvrabec>
Date:   Wed Apr 18 15:33:39 2018 +0200

    Label /dev/vhost-vsock char device as vhost_device_t
Comment 3 Lukas Vrabec 2018-06-25 08:51:15 UTC 
*** Bug 1591105 has been marked as a duplicate of this bug. ***
Comment 6 errata-xmlrpc 2018-10-30 10:04:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.