Description of problem: Newer qemu git versions that contain commit 816b9fe450220e19acb91a0ce4a8ade7000648d1 (refs/bisect/bad) elf-ops.h: Map into memory the ELF to load crash when an elf file is used as os.kernel: 2019-10-04T12:00:32.675188Z qemu-system-s390x: GLib: g_mapped_file_unref: assertion 'file != NULL' failed strace tells that I can read the ELF file, but not mmap strace: 214365 openat(AT_FDCWD, "/var/lib/libvirt/images/test_cpu_timer.elf", O_RDONLY) 214365 read(46, "\177ELF\2\2\1\0\0\0\0\0\0\0\0\0", 16) = 16 214365 lseek(46, 0, SEEK_SET) = 0 [...] 214365 fstat(46, {st_mode=S_IFREG|0755, st_size=168176, ...}) = 0 214365 mmap(NULL, 168176, PROT_READ|PROT_WRITE, MAP_PRIVATE, 46, 0) = -1 EACCES (Permission denied) So reading from /var/lib/libvirt/images/test_cpu_timer.elf does work, mmaping does not. setenforce 0 makes the problem go away. audit2allow shows among others. allow svirt_t virt_content_t:file map;
Adding Daniel and Paolo as this was discussed on libvirt and qemu mailing list https://lists.gnu.org/archive/html/qemu-devel/2019-10/msg01122.html https://www.redhat.com/archives/libvir-list/2019-October/msg00191.html
The virt.te policy rules already include: allow svirt_t svirt_image_t:file map; allow svirt_t svirt_image_t:blk_file map; which handles disks/images we expose to QMEU with read-write permission. virt_content_t is used for disk/images we expose to QEMU with read-only permission, and I don't see a reason why we can't allow mmap for those too. IIUC, we're enforcing read-only-ness of the file separately from the map permission. So I think we probably want two additions: allow svirt_t virt_content_t:file map; allow svirt_t virt_content_t:blk_file map;
I guess this is also broken for RHEL,RHV. So as soon as qemu >= 4.2 is part of RHV, we have the same problem there as well. Is there a process to cascade this into those distributions as well?
commit 76616cf62cddda3c6ca0a9cd1b7820052b228854 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Oct 4 17:36:42 2019 +0200 Update virt_read_content interface to allow caller domain mmap virt_content_t block devices and files Resolves: rhbz#1758525
Any chance to also get this fix into Fedora 30 as a backport? (and of course 31)
Christian, Yes it's backported to F31 and F30. https://github.com/fedora-selinux/selinux-policy-contrib/commit/8f719024b088c3e9b9f3f2697586ba1858981914 https://github.com/fedora-selinux/selinux-policy-contrib/commit/926dc71928159b50fd3faa19ae031c5647946cf4
(In reply to Lukas Vrabec from comment #6) > Christian, > Yes it's backported to F31 and F30. > > https://github.com/fedora-selinux/selinux-policy-contrib/commit/ > 8f719024b088c3e9b9f3f2697586ba1858981914 > > https://github.com/fedora-selinux/selinux-policy-contrib/commit/ > 926dc71928159b50fd3faa19ae031c5647946cf4 Thanks. How often are the binary packages rebuild? Currently the update is not yet available for users, e.g. https://dl.fedoraproject.org/pub/fedora-secondary/updates/30/Everything/s390x/Packages/s/ still has an se-policy version from September.
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.