Bug 1624224 - SELinux is preventing /usr/libexec/qemu-kvm from map access on the blk_file /dev/pmem0
Summary: SELinux is preventing /usr/libexec/qemu-kvm from map access on the blk_file /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-31 02:48 UTC by yafu
Modified: 2018-10-30 10:10 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-223.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:09:38 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:10:13 UTC

Description yafu 2018-08-31 02:48:11 UTC
Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from map access on the blk_file /dev/pmem0

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-222.el7.noarch
libvirt-4.5.0-7.el7.x86_64
qemu-kvm-rhev-2.12.0-12.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Modify host kernel line, add "memmap=mG!nG" 
# vi /etc/default/grub
add "memmap=4G!20G"
# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Reboot the machine,  check the command line.

2. Reboot host, check /dev/pmem0 in host

3. Start a guest with the nvdimm device:
#virsh edit iommu1
...
  <maxMemory slots='16' unit='M'>2048</maxMemory>
  <memory unit='M'>1024</memory>
  <currentMemory unit='M'>512</currentMemory>
  <vcpu placement='static'>4</vcpu>
......
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
    <numa>
      <cell id='0' cpus='0-1' memory='512' unit='M'/>
      <cell id='1' cpus='2-3' memory='512' unit='M'/>
    </numa>
  </cpu>
...
    <memory model='nvdimm' access='shared'>
      <source>
        <path>/dev/pmem0</path>
      </source>
      <target>
        <size unit='M'>512</size>
        <node>1</node>
        <label>
          <size unit='KiB'>256</size>
        </label>
      </target>
      <address type='dimm' slot='0'/>
    </memory>

#virsh start iommu
error: Failed to start domain iommu1
error: internal error: qemu unexpectedly closed the monitor: qemu_madvise: Invalid argument
madvise doesn't support MADV_DONTDUMP, but dump_guest_core=off specified
2018-08-30T07:46:10.832678Z qemu-kvm: -object memory-backend-file,id=memnvdimm2,prealloc=yes,mem-path=/dev/pmem0,share=yes,size=536870912: unable to map backing store for guest RAM: Permission denied


Actual results:
Guest failed to start since SELinux is preventing /usr/libexec/qemu-kvm from map access on the blk_file /dev/pmem0.

Expected results:
Guest can start successfully.

Additional info:
1.It works well with selinux-policy-3.13.1-192.el7_5.6.

2.Audit Message:
type=AVC msg=audit(1535683268.428:37591): avc:  denied  { map } for  pid=183632 comm="qemu-kvm" path="/dev/pmem0" dev="devtmpfs" ino=11030 scontext=system_u:system_r:svirt_t:s0:c162,c454 tcontext=system_u:object_r:svirt_image_t:s0:c162,c454 tclass=blk_file permissive=0



Additional info:

Comment 3 Milos Malik 2018-09-03 07:02:32 UTC
Why is /dev/pmem0 labeled svirt_image_t? It should have some *_device_t label, right?

Comment 4 yafu 2018-09-03 07:39:08 UTC
(In reply to Milos Malik from comment #3)
> Why is /dev/pmem0 labeled svirt_image_t? It should have some *_device_t
> label, right?

Libvirt will label /dev/pmem0 to svirt_image_t when starting guest.

Comment 8 errata-xmlrpc 2018-10-30 10:09:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.