Hide Forgot
Description of problem: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-223.el7.noarch libvirt-4.5.0-8.el7.x86_64 qemu-kvm-rhev-2.12.0-13.el7.x86_64 3.10.0-940.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1.Create mdev device; 2.Define a guest with spice gl: #virsh edit rhel7.6 <graphics type='spice'> <listen type='none'/> <gl enable='yes' rendernode='/dev/dri/renderD128'/> </graphics> 3.Start the guest: #virsh start rhel7.6 error: Failed to start domain rhel7.6 error: internal error: qemu unexpectedly closed the monitor: 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available 2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node for SPICE GL 3.Check the syslog: #cat /var/log/messages Sep 5 19:09:40 localhost python: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. Actual results: Guest failed to start Expected results: Guest should start successfully Additional info: 1.Audit messages: type=AVC msg=audit(1536145479.767:4598): avc: denied { open } for pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 scontext=system_u:system_r:svirt_t:s0:c73,c409 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536145479.769:4599): avc: denied { ioctl } for pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
(In reply to yafu from comment #0) > Description of problem: > SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the > chr_file /dev/dri/renderD128 > > Version-Release number of selected component (if applicable): > selinux-policy-3.13.1-223.el7.noarch > libvirt-4.5.0-8.el7.x86_64 > qemu-kvm-rhev-2.12.0-13.el7.x86_64 > 3.10.0-940.el7.x86_64 > > > How reproducible: > 100% > > > Steps to Reproduce: > 1.Create mdev device; > > 2.Define a guest with spice gl: > #virsh edit rhel7.6 > <graphics type='spice'> > <listen type='none'/> > <gl enable='yes' rendernode='/dev/dri/renderD128'/> > </graphics> > > 3.Start the guest: > #virsh start rhel7.6 > error: Failed to start domain rhel7.6 > error: internal error: qemu unexpectedly closed the monitor: > 2018-09-05T11:09:39.684687Z qemu-kvm: egl: no drm render node available > 2018-09-05T11:09:39.684707Z qemu-kvm: Failed to initialize EGL render node > for SPICE GL > > 3.Check the syslog: > #cat /var/log/messages > Sep 5 19:09:40 localhost python: SELinux is preventing > /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. > > Actual results: > Guest failed to start > > Expected results: > Guest should start successfully > > > Additional info: > 1.Audit messages: > type=AVC msg=audit(1536145479.767:4598): avc: denied { open } for > pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 > scontext=system_u:system_r:svirt_t:s0:c73,c409 > tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 > type=AVC msg=audit(1536145479.769:4599): avc: denied { ioctl } for > pid=24444 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=171222 > ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c73,c409 > tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 Sorry for wrong paste of audit message. The right audit message is: type=AVC msg=audit(1536215083.599:708): avc: denied { read write } for pid=18806 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=145623 scontext=system_u:system_r:svirt_t:s0:c39,c589 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=0 And if i set selinux staus as permissive, the selinux message in syslog is as follows: # cat /var/log/messages | grep -i setroubleshoot Sep 6 14:30:54 localhost dbus[4505]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Sep 6 14:30:54 localhost dbus[4505]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Sep 6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77 Sep 6 14:30:54 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file renderD128. For complete SELinux messages run: sealert -l e035f801-dc15-4044-a8ac-98d3864d8a77 Sep 6 14:30:54 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128 Sep 6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4 Sep 6 14:30:55 localhost setroubleshoot: failed to retrieve rpm info for /dev/dri/renderD128 Sep 6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from ioctl access on the chr_file /dev/dri/renderD128. For complete SELinux messages run: sealert -l 94154a26-0fcb-4960-89c9-7212d6467ee4 Sep 6 14:30:55 localhost setroubleshoot: SELinux is preventing /usr/libexec/qemu-kvm from using the execmem access on a process. For complete SELinux messages run: sealert -l 40bb2b0e-9b4f-4f0d-a0bf-3ef32b67daa0 The audit message is as follows: type=AVC msg=audit(1536215454.006:770): avc: denied { read write } for pid=19707 comm="qemu-kvm" name="renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.006:770): avc: denied { open } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.008:771): avc: denied { ioctl } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6446 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.014:772): avc: denied { ioctl } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 ioctlcmd=6475 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.017:773): avc: denied { execmem } for pid=19707 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:system_r:svirt_t:s0:c674,c923 tclass=process permissive=1 type=AVC msg=audit(1536215454.293:779): avc: denied { map } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1536215454.293:779): avc: denied { read write } for pid=19707 comm="qemu-kvm" path="/dev/dri/renderD128" dev="tmpfs" ino=149533 scontext=system_u:system_r:svirt_t:s0:c674,c923 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1
The denial which contains { execmem } can be solved by enabling the virt_use_execmem boolean. The rest of SELinux denials needs to fixed in new build of selinux-policy.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111