Bug 1625613 - SELinux is preventing /usr/libexec/qemu-kvm from ioctl/open/read/write/map/mem/execmem access on the chr_file /dev/dri/renderD128
Summary: SELinux is preventing /usr/libexec/qemu-kvm from ioctl/open/read/write/map/me...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1654309 1564153
TreeView+ depends on / blocked
 
Reported: 2018-09-05 11:13 UTC by yafu
Modified: 2019-03-07 15:49 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:09:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:10:52 UTC

Description yafu 2018-09-05 11:13:06 UTC
Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-223.el7.noarch
libvirt-4.5.0-8.el7.x86_64
qemu-kvm-rhev-2.12.0-13.el7.x86_64
3.10.0-940.el7.x86_64


How reproducible:
100%


Steps to Reproduce:
1.Create mdev device;

2.Define a guest with spice gl:
#virsh edit rhel7.6
<graphics type='spice'>
      <listen type='none'/>
      <gl enable='yes' rendernode='/dev/dri/renderD128'/>
</graphics>

3.Start the guest:
#virsh start rhel7.6
error: Failed to start domain rhel7.6
error: internal error: qemu unexpectedly closed the monitor: 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available
2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node for SPICE GL

3.Check the syslog:
#cat /var/log/messages
Sep  5 19:09:40 localhost python: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128.

Actual results:
Guest failed to start

Expected results:
Guest should start successfully


Additional info:
1.Audit messages:
type=AVC msg=audit(1536145479.767:4598): avc:  denied  { open } for  pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 scontext=system_u:system_r:svirt_t:s0:c73,c409 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536145479.769:4599): avc:  denied  { ioctl } for  pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Comment 4 yafu 2018-09-06 06:35:24 UTC
(In reply to yafu from comment #0)
> Description of problem:
> SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the
> chr_file /dev/dri/renderD128
> 
> Version-Release number of selected component (if applicable):
> selinux-policy-3.13.1-223.el7.noarch
> libvirt-4.5.0-8.el7.x86_64
> qemu-kvm-rhev-2.12.0-13.el7.x86_64
> 3.10.0-940.el7.x86_64
> 
> 
> How reproducible:
> 100%
> 
> 
> Steps to Reproduce:
> 1.Create mdev device;
> 
> 2.Define a guest with spice gl:
> #virsh edit rhel7.6
> <graphics type='spice'>
>       <listen type='none'/>
>       <gl enable='yes' rendernode='/dev/dri/renderD128'/>
> </graphics>
> 
> 3.Start the guest:
> #virsh start rhel7.6
> error: Failed to start domain rhel7.6
> error: internal error: qemu unexpectedly closed the monitor:
> 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available
> 2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node
> for SPICE GL
> 
> 3.Check the syslog:
> #cat /var/log/messages
> Sep  5 19:09:40 localhost python: SELinux is preventing
> /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128.
> 
> Actual results:
> Guest failed to start
> 
> Expected results:
> Guest should start successfully
> 
> 
> Additional info:
> 1.Audit messages:
> type=AVC msg=audit(1536145479.767:4598): avc:  denied  { open } for 
> pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222
> scontext=system_u:system_r:svirt_t:s0:c73,c409
> tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
> type=AVC msg=audit(1536145479.769:4599): avc:  denied  { ioctl } for 
> pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222
> ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409
> tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Sorry for wrong paste of audit message. The right audit message is:
type=AVC msg=audit(1536215083.599:708): avc:  denied  { read write } for  pid=18806 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=145623 scontext=system_u:system_r:svirt_t:s0:c39,c589 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0



And if i set selinux staus as permissive, the selinux message in syslog is as follows:
# cat /var/log/messages  | grep -i setroubleshoot
Sep  6 14:30:54 localhost dbus[4505]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Sep  6 14:30:54 localhost dbus[4505]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Sep  6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77
Sep  6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77
Sep  6 14:30:54 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128
Sep  6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4
Sep  6 14:30:55 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128
Sep  6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4
Sep  6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from using the execmem access on a process. For complete SELinux messages run: sealert -l 40bb2b0e-9b4f-4f0d-a0bf-3ef32b67daa0

The audit message is as follows:
type=AVC msg=audit(1536215454.006:770): avc:  denied  { read write } for  pid=19707 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.006:770): avc:  denied  { open } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.008:771): avc:  denied  { ioctl } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.014:772): avc:  denied  { ioctl } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6475 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.017:773): avc:  denied  { execmem } for  pid=19707 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:system_r:svirt_t:s0:c674,c923 tclass=process permissive=1
type=AVC msg=audit(1536215454.293:779): avc:  denied  { map } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1536215454.293:779): avc:  denied  { read write } for  pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Comment 5 Milos Malik 2018-09-06 08:09:20 UTC
The denial which contains { execmem } can be solved by enabling the virt_use_execmem boolean. The rest of SELinux denials needs to fixed in new build of selinux-policy.

Comment 11 errata-xmlrpc 2018-10-30 10:09:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.