Bug 1592688 - SELinux is preventing /usr/libexec/qemu-kvm from map access
Summary: SELinux is preventing /usr/libexec/qemu-kvm from map access
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
Blocks: 1553085
TreeView+ depends on / blocked
Reported: 2018-06-19 07:04 UTC by Junxiang Li
Modified: 2018-10-30 10:06 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.13.1-205.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-30 10:05:46 UTC
Target Upstream Version:
yafu: needinfo-

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1514538 None CLOSED libvirt + qemu + hugepages won't start with SElinux enabled 2019-06-15 08:25:01 UTC
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:06:45 UTC

Internal Links: 1514538

Description Junxiang Li 2018-06-19 07:04:22 UTC
Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from map access

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c296,c387 
Target Context                system_u:object_r:svirt_image_t:s0
Target Objects                Please check message
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-204.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com
Alert Count                   1
First Seen                    <Unknown>
Last Seen                     2018-06-19 03:00:00 EDT
Local ID                      <Unknown>

Raw Audit Messages
type=AVC msg=audit(1529373654.545:13947): avc:  denied  { map } for  pid=20718 comm="qemu-kvm" path=2F6465762F687567657061676573324D2F6C6962766972742F71656D752F312D61766F6361646F2D76742D766D312F71656D755F6261636B5F6D656D2E5F6F626A656374735F72616D2D6E6F6465302E34315147524F202864656C6574656429 dev="hugetlbfs" ino=452846 scontext=system_u:system_r:svirt_t:s0:c296,c387 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file permissive=0

Hash: qemu-kvm,svirt_t,svirt_image_t,file,map

Comment 2 Milos Malik 2018-06-20 08:58:05 UTC
Here is the same SELinux denial interpreted by ausearch -i:
type=AVC msg=audit(06/19/2018 04:00:54.545:13947) : avc:  denied  { map } for  pid=20718 comm=qemu-kvm path=/dev/hugepages2M/libvirt/qemu/1-avocado-vt-vm1/qemu_back_mem._objects_ram-node0.41QGRO (deleted) dev="hugetlbfs" ino=452846 scontext=system_u:system_r:svirt_t:s0:c296,c387 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file permissive=0 

Comment 3 Milos Malik 2018-06-20 09:15:20 UTC
I wonder why is the deleted file labeled svirt_image_t. Is it really a virtual machine image?

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/virtualization_security_guide/#sect-Virtualization_Security_Guide-sVirt-Labels

Comment 4 Milos Malik 2018-06-20 09:16:55 UTC
Sorry, I meant to write "Virtual Machine Shared Read/Write Content" instead of "Virtual Machine Image".

Comment 5 Junxiang Li 2018-06-20 09:44:01 UTC
(In reply to Milos Malik from comment #3)
> I wonder why is the deleted file labeled svirt_image_t. Is it really a
> virtual machine image?
>  *
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
> html-single/virtualization_security_guide/#sect-
> Virtualization_Security_Guide-sVirt-Labels

Sorry, I'm not sure.

Hi yafu,
Could you help answer this question?

Comment 6 Luyao Huang 2018-06-21 02:17:26 UTC
This file is created by qemu-kvm (qemu will create a tmp file then mmap memory and then delete this file in this case) and the directory /dev/hugepages2M/libvirt/qemu/1-avocado-vt-vm1/ is created by libvirt and libvirt change this dir context to system_u:object_r:svirt_image_t:s0:cxxx,cxxx , that is why this file labeled svirt_image_t.

I checked this issue have already been fixed in Fedora (see bug 1514538) and here is the result of sesearch in F28:

# sesearch -A -s svirt_t -t svirt_image_t
allow svirt_t svirt_image_t:file map;

Comment 7 yanqzhan@redhat.com 2018-06-22 06:32:28 UTC
Add keyword "TestBlocker", it blocks several libvirt "Guest NUMA memory binding" function tests. Please resolve ASAP.

Comment 12 errata-xmlrpc 2018-10-30 10:05:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.