1835909 – [8.3 regression] avc: denied { read write } for comm="qemu-kvm" path="/dev/mapper/control

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1835909 - [8.3 regression] avc: denied { read write } for comm="qemu-kvm" path="/dev/mapper/control

Summary: [8.3 regression] avc: denied { read write } for comm="qemu-kvm" path="/dev/...

Keywords:
Status:	CLOSED DUPLICATE of bug 1858260
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.3
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-14 17:32 UTC by Martin Pitt
Modified:	2020-11-09 15:50 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-29 17:31:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Pitt 2020-05-14 17:32:29 UTC

Description of problem: In a recent refresh of our cockpit rhel 8.3 CI test image, all libvirt related tests now run into a new SELinux policy violation:

kernel: audit: type=1400 audit(1589437107.542:4): avc:  denied  { read write } for  pid=128585 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=11500 scontext=system_u:system_r:svirt_tcg_t:s0:c43,c398 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0

Example journal: https://logs.cockpit-project.org/logs/pull-864-20200514-055447-c43ff2a7-rhel-8-3-cockpit-project-cockpit/TestMachines-testAutostart-rhel-8-3-127.0.0.2-2201-FAIL.log.gz

Version-Release number of selected component (if applicable):

libvirt-daemon-kvm-6.0.0-17.module+el8.3.0+6423+e4cb6418.x86_64
selinux-policy-3.14.3-43.el8

Comment 1 Zdenek Pytela 2020-05-15 08:44:49 UTC

Danilo,

Has there any change been made recently in qemu or libvirt that requires access to /dev/mapper/control?

Comment 2 Danilo de Paula 2020-05-25 15:17:51 UTC

Are you aware of such change?

Comment 3 Miroslav Rezanina 2020-05-25 17:03:06 UTC

(In reply to Danilo Cesar Lemes de Paula from comment #2)
> Are you aware of such change?

qemu-pr-helper is using this device.

Comment 9 Han Han 2020-07-06 04:01:59 UTC

Hello, another AVC on /dev/mapper/control:
Jul  5 23:55:32 hp-dl385g10-15 setroubleshoot[133559]: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file /dev/mapper/control. For complete SELinux messages run: sealert -l 1bebe53c-661b-40be-be50-6d7e0fb553dc
Jul  5 23:55:32 hp-dl385g10-15 platform-python[133559]: SELinux is preventing /usr/libexec/qemu-kvm from 'read, write' accesses on the chr_file /dev/mapper/control.#012#012*****  Plugin leaks (86.2 confidence) suggests   *****************************#012#012If you want to ignore qemu-kvm trying to read write access the control chr_file, because you believe it should not need this access.#012Then you should report this as a bug.  #012You can generate a local policy module to dontaudit this access.#012Do#012# ausearch -x /usr/libexec/qemu-kvm --raw | audit2allow -D -M my-qemu-kvm#012# semodule -X 300 -i my-qemu-kvm.pp#012#012*****  Plugin catchall (14.7 confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed read write access on the control chr_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012


type=AVC msg=audit(1594007728.748:547): avc:  denied  { read write } for  pid=133543 comm="qemu-kvm" path="/dev/mapper/control" dev="devtmpfs" ino=23598 scontext=system_u:system_r:svirt_t:s0:c65,c755 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1594007728.748:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f9fd4053a30 a1=7f9fd405c810 a2=7f9fd4056700 a3=7f9ff92da343 items=0 ppid=1 pid=133543 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c65,c755 key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="unset" UID="qemu" GID="qemu" EUID="qemu" SUID="qemu" FSUID="qemu" EGID="qemu" SGID="qemu" FSGID="qemu"


Version:
libvirt-6.4.0-1.module+el8.3.0+6881+88468c00.x86_64
qemu-kvm-5.0.0-0.module+el8.3.0+6620+5d5e1420.x86_64
selinux-policy-3.14.3-48.el8.noarch


Steps:
Just start a VM
VM XML:
<domain type='kvm' id='3'>
  <name>new</name>
  <uuid>442bbb67-01ac-4329-9b4f-ca90b638da0b</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://fedoraproject.org/fedora/31"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <vcpu placement='static'>2</vcpu>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-i440fx-rhel7.6.0'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>EPYC-IBPB</model>
    <vendor>AMD</vendor>
    <feature policy='require' name='x2apic'/>
    <feature policy='require' name='tsc-deadline'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='arch-capabilities'/>
    <feature policy='require' name='xsaves'/>
    <feature policy='require' name='cmp_legacy'/>
    <feature policy='require' name='perfctr_core'/>
    <feature policy='require' name='clzero'/>
    <feature policy='require' name='virt-ssbd'/>
    <feature policy='require' name='rdctl-no'/>
    <feature policy='require' name='skip-l1dfl-vmentry'/>
    <feature policy='require' name='mds-no'/>
    <feature policy='require' name='pschange-mc-no'/>
    <feature policy='disable' name='monitor'/>
    <feature policy='disable' name='svm'/>
    <feature policy='require' name='topoext'/>
  </cpu>
  <clock offset='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled='no'/>
    <suspend-to-disk enabled='no'/>
  </pm>
  <devices>
    <emulator>/usr/libexec/qemu-kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/var/lib/libvirt/images/new.qcow2' index='1'/>
      <backingStore/>
      <target dev='vda' bus='virtio'/>
      <alias name='virtio-disk0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x09' function='0x0'/>
    </disk>
    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
    </controller>
    <controller type='pci' index='0' model='pci-root'>
      <alias name='pci.0'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:92:3c:bc'/>
      <source network='default' portid='784f8140-3dca-4233-a4aa-7ae67df3b458' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/5'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/5'>
      <source path='/dev/pts/5'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/var/lib/libvirt/qemu/channel/target/domain-3-new/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <channel type='spicevmc'>
      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
      <alias name='channel1'/>
      <address type='virtio-serial' controller='0' bus='0' port='2'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='1'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='spice'>
      <listen type='none'/>
      <image compression='off'/>
      <gl enable='no'/>
    </graphics>
    <sound model='ich9'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </sound>
    <video>
      <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'>
        <acceleration accel3d='no'/>
      </model>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir0'/>
      <address type='usb' bus='0' port='2'/>
    </redirdev>
    <redirdev bus='usb' type='spicevmc'>
      <alias name='redir1'/>
      <address type='usb' bus='0' port='3'/>
    </redirdev>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0b' function='0x0'/>
    </memballoon>
    <rng model='virtio'>
      <backend model='random'>/dev/urandom</backend>
      <alias name='rng0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x0c' function='0x0'/>
    </rng>
  </devices>
  <seclabel type='dynamic' model='selinux' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c65,c755</label>
    <imagelabel>system_u:object_r:svirt_image_t:s0:c65,c755</imagelabel>
  </seclabel>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+107:+107</label>
    <imagelabel>+107:+107</imagelabel>
  </seclabel>
</domain>

Please check the bug is really fixed or an another issue.

Comment 10 Milos Malik 2020-07-06 05:10:21 UTC

There is a difference:
 * comment#0 shows an SELinux denial which contains svirt_tcg_t in the source context
 * comment#9 shows an SELinux denial which contains svirt_t in the source context

Comment 11 Han Han 2020-07-06 07:31:26 UTC

(In reply to Milos Malik from comment #10)
> There is a difference:
>  * comment#0 shows an SELinux denial which contains svirt_tcg_t in the
> source context
>  * comment#9 shows an SELinux denial which contains svirt_t in the source
> context

Thank you.
I filed a new bug for this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1854040

Comment 16 Zdenek Pytela 2020-07-29 17:31:28 UTC

Closing as a dup of bz#1858260.

For additional information refer to bz#1822522.

*** This bug has been marked as a duplicate of bug 1858260 ***

Note You need to log in before you can comment on or make changes to this bug.