Bug 1822522 - avc: denied { read write } for pid=3449 comm="qemu-kvm" path="/dev/mapper/control"
Summary: avc: denied { read write } for pid=3449 comm="qemu-kvm" path="/dev/mapper/...
Keywords:
Status: CLOSED DUPLICATE of bug 1858260
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: Unspecified
OS: Linux
low
medium
Target Milestone: rc
: 8.3
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 1854040 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-09 09:07 UTC by Fangge Jin
Modified: 2020-07-29 17:32 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-29 17:32:04 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
vm xml configuration (9.71 KB, text/plain)
2020-04-09 12:53 UTC, Fangge Jin 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1824019 0 medium CLOSED SELinux is preventing qemu-system-x86 from read, write access on the chr_file /dev/mapper/control. 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1835909 0 medium CLOSED [8.3 regression] avc: denied { read write } for comm="qemu-kvm" path="/dev/mapper/control 2021-02-22 00:41:40 UTC

Description Fangge Jin 2020-04-09 09:07:56 UTC 
Description of problem:
Start a vm, vm starts successfully, but there is AVC denied error in audit.log:
# ausearch -c qemu-kvm -m avc
----
time->Thu Apr  9 04:55:29 2020
type=AVC msg=audit(1586422529.809:350): avc:  denied  { read write } for  pid=3449 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=25607 scontext=system_u:system_r:svirt_t:s0:c116,c867 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0


Version-Release number of selected component:
qemu-kvm-4.2.0-17.module+el8.2.0+6141+0f540f16.x86_64
selinux-policy-3.14.3-41.el8.noarch
libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Start a vm
2. Check audit.log by "ausearch -c qemu-kvm -m avc"

Actual results:
As above

Expected results:
There should be no AVC denied error when vm starts.

Additional info:
Comment 1 Peter Krempa 2020-04-09 11:56:21 UTC 
Please attach the VM config XML you've used.
Comment 2 Fangge Jin 2020-04-09 12:53:18 UTC 
Created attachment 1677533 [details]
vm xml configuration
Comment 4 Michal Privoznik 2020-05-07 13:07:55 UTC 
Here are my debugging findings. Firstly, I've noticed that this does not happen if I disable namespaces. That lead me to a patch that I have in a local branch for bug 1823976 where I'm waiting for confirming that the approach I've chosen is the right one. Basically, what is happening is: when libvirt is setting up the private /dev for the domain, it consults devmapper to rebuild the targets table (for instance for a multipath device qemu might open all its targets). And the AVC message we are seeing is SELinux denying the following ioctl:

stat("/dev/mapper/control", {st_mode=S_IFCHR|0600, st_rdev=makedev(0xa, 0xec), ...}) = 0
openat(AT_FDCWD, "/dev/mapper/control", O_RDWR) = 3</dev/mapper/control<char 10:236>>
ioctl(3</dev/mapper/control<char 10:236>>, DM_VERSION, {version=4.0.0, data_size=16384, flags=DM_EXISTS_FLAG} => {version=4.42.0, data_size=16384, flags=DM_EXISTS_FLAG}) = 0

What is interesting is that execve() happens only after the ioctl(), so why would auditd report comm="qemu-kvm" is beyond me.
However, my fix only suppresses querying devmapper for *every* path created in the private /dev. If the path is a devmapper target then the ioctl() will be run and I guess the AVC message will appear again. So maybe we need to add a rule to the SELinux policy?
Comment 5 Zdenek Pytela 2020-07-07 06:50:40 UTC 
*** Bug 1854040 has been marked as a duplicate of this bug. ***
Comment 15 Zdenek Pytela 2020-07-29 17:32:04 UTC 
Per previous agreement, closing as a dup of bz#1858260.

*** This bug has been marked as a duplicate of bug 1858260 ***
Note You need to log in before you can comment on or make changes to this bug.