Hide Forgot
Description of problem: Start a vm, vm starts successfully, but there is AVC denied error in audit.log: # ausearch -c qemu-kvm -m avc ---- time->Thu Apr 9 04:55:29 2020 type=AVC msg=audit(1586422529.809:350): avc: denied { read write } for pid=3449 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=25607 scontext=system_u:system_r:svirt_t:s0:c116,c867 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0 Version-Release number of selected component: qemu-kvm-4.2.0-17.module+el8.2.0+6141+0f540f16.x86_64 selinux-policy-3.14.3-41.el8.noarch libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64 How reproducible: 100% Steps to Reproduce: 1. Start a vm 2. Check audit.log by "ausearch -c qemu-kvm -m avc" Actual results: As above Expected results: There should be no AVC denied error when vm starts. Additional info:
Please attach the VM config XML you've used.
Created attachment 1677533 [details] vm xml configuration
Here are my debugging findings. Firstly, I've noticed that this does not happen if I disable namespaces. That lead me to a patch that I have in a local branch for bug 1823976 where I'm waiting for confirming that the approach I've chosen is the right one. Basically, what is happening is: when libvirt is setting up the private /dev for the domain, it consults devmapper to rebuild the targets table (for instance for a multipath device qemu might open all its targets). And the AVC message we are seeing is SELinux denying the following ioctl: stat("/dev/mapper/control", {st_mode=S_IFCHR|0600, st_rdev=makedev(0xa, 0xec), ...}) = 0 openat(AT_FDCWD, "/dev/mapper/control", O_RDWR) = 3</dev/mapper/control<char 10:236>> ioctl(3</dev/mapper/control<char 10:236>>, DM_VERSION, {version=4.0.0, data_size=16384, flags=DM_EXISTS_FLAG} => {version=4.42.0, data_size=16384, flags=DM_EXISTS_FLAG}) = 0 What is interesting is that execve() happens only after the ioctl(), so why would auditd report comm="qemu-kvm" is beyond me. However, my fix only suppresses querying devmapper for *every* path created in the private /dev. If the path is a devmapper target then the ioctl() will be run and I guess the AVC message will appear again. So maybe we need to add a rule to the SELinux policy?
*** Bug 1854040 has been marked as a duplicate of this bug. ***
Per previous agreement, closing as a dup of bz#1858260. *** This bug has been marked as a duplicate of bug 1858260 ***