2063612 – SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2063612 - SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t

Summary: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-03-29
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	9.0
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2070569
TreeView+	depends on / blocked

Reported:	2022-03-14 02:59 UTC by Han Han
Modified:	2022-05-17 16:13 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-34.1.29-1.el9_0
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2070569 (view as bug list)
Environment:
Last Closed:	2022-05-17 15:50:23 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-115518	0	None	None	None	2022-03-14 14:34:46 UTC
Red Hat Product Errata	RHBA-2022:3918	0	None	None	None	2022-05-17 15:50:42 UTC

Description Han Han 2022-03-14 02:59:17 UTC

Description of problem:
As subject

Version-Release number of selected component (if applicable):
libvirt-8.0.0-6.el9.x86_64
selinux-policy-34.1.27-1.el9.noarch
qemu-kvm-6.2.0-11.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare hosts with rmda network
2. Start an VM
3. Migrate it to another host:
# virsh migrate --live --migrateuri rdma://192.168.100.4 test --listen-address 0.0.0.0 qemu+tls://root@XXXX/system --verbose --p2p

error: internal error: unable to execute QEMU command 'migrate': RDMA ERROR: result not equal to event_addr_resolved RDMA_CM_EVENT_ADDR_ERROR

Actual results:
The selinux log from src host:
Mar 13 22:48:02 dell-per740-03 setroubleshoot[192705]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t. For complete SELinux messages run: sealert -l 5697551a-cb70-4a3d-b3f5-afbb9bba6580
Mar 13 22:48:02 dell-per740-03 setroubleshoot[192705]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed create access on netlink_rdma_socket labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012

The selinux log from dest host:
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t. For complete SELinux messages run: sealert -l 33434fea-bdc7-4e2b-9ff7-2963990771b2
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed create access on netlink_rdma_socket labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t. For complete SELinux messages run: sealert -l 33434fea-bdc7-4e2b-9ff7-2963990771b2
Mar 13 22:48:01 dell-per740-04 setroubleshoot[200026]: SELinux is preventing /usr/libexec/qemu-kvm from create access on the netlink_rdma_socket labeled svirt_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should be allowed create access on netlink_rdma_socket labeled svirt_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm#012# semodule -X 300 -i my-qemukvm.pp#012


Note: If the selinux is permissive on both hosts, the migration could pass.


Expected results:
No selinux denials.

Additional info:

Comment 3 Han Han 2022-03-14 03:25:28 UTC

Update: The error is still there after `setenforce 0` on both hosts.

Comment 4 Zdenek Pytela 2022-03-14 14:11:38 UTC

Han Han,

Please attach audit log and the output of the following command:

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Apart from the audited denials, is there any problem with the service as such?
Can you isolate with which version of livbirt, qemu, or other library this started to happen?

Comment 5 Fangge Jin 2022-03-15 01:28:27 UTC

See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"

Comment 6 Han Han 2022-03-15 02:13:34 UTC

(In reply to Zdenek Pytela from comment #4)
> Han Han,
> 
> Please attach audit log and the output of the following command:
> 
>   # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:740) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:740) : arch=x86_64 syscall=socket success=yes exit=24 a0=netlink a1=SOCK_RAW a2=hmp a3=0x7f384033faa0 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:740) : avc:  denied  { create } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1 
----
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:741) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:741) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x18 a1=SOL_SOCKET a2=SO_SNDBUF a3=0x7ffd3ddebdf8 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:741) : avc:  denied  { setopt } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1 
----
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:742) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:742) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x18 a1=0x556298c870a0 a2=0xc a3=0x20 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:742) : avc:  denied  { bind } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1 
----
type=PROCTITLE msg=audit(03/14/2022 22:06:18.065:743) : proctitle=/usr/libexec/qemu-kvm -name guest=test,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file": 
type=SOCKADDR msg=audit(03/14/2022 22:06:18.065:743) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=1338017757 } 
type=SYSCALL msg=audit(03/14/2022 22:06:18.065:743) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x18 a1=0x7ffd3ddebe44 a2=0x7ffd3ddebe40 a3=0x20 items=0 ppid=1 pid=34781 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c247,c409 key=(null) 
type=AVC msg=audit(03/14/2022 22:06:18.065:743) : avc:  denied  { getattr } for  pid=34781 comm=qemu-kvm scontext=system_u:system_r:svirt_t:s0:c247,c409 tcontext=system_u:system_r:svirt_t:s0:c247,c409 tclass=netlink_rdma_socket permissive=1
> 
> Apart from the audited denials, is there any problem with the service as
> such?
Yes. The error of enforcing mode and permissive mode are different. That indicates SELinux prevents some process or service:
enforcing mode:
➜  ~ virsh migrate --live --migrateuri rdma://192.168.128.10 test --listen-address 192.168.128.10 qemu+ssh://root.lab.eng.bos.redhat.com/system --verbose --p2p
error: internal error: unable to execute QEMU command 'migrate-incoming': RDMA ERROR: Error: could not rdma_bind_addr!

permissive mode:
➜  ~ virsh migrate --live --migrateuri rdma://192.168.128.10 test --listen-address 192.168.128.10 qemu+ssh://root.lab.eng.bos.redhat.com/system --verbose --p2p
error: operation failed: migration out job: unexpectedly failed

> Can you isolate with which version of livbirt, qemu, or other library this
> started to happen?
The avc denial starts not later than selinux-policy-3.14.3-41.el8.noarch libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64  qemu-kvm-4.2.0-17.module+el8.2.0+6141+0f540f16.x86_64 (https://bugzilla.redhat.com/show_bug.cgi?id=1822518)
I am not sure if any earlier versions are affected

Comment 7 Zdenek Pytela 2022-03-17 15:40:48 UTC

Han Han,

If you think this problem qualifies for an exception, please put down justification and we will process is further.

Otherwise I'd target this bz to RHEL 9.1.

I also spotted RHEL 8 packages referenced here:
> The avc denial starts not later than selinux-policy-3.14.3-41.el8.noarch libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64
> qemu-kvm-4.2.0-17.module+el8.2.0+6141+0f540f16.x86_64 (https://bugzilla.redhat.com/show_bug.cgi?id=1822518)

Not sure if it matters.


Fangge Jin: 
> See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
Does this still mean support for the rdma socket should be allowed because there are benefits?

Comment 8 Fangge Jin 2022-03-18 02:26:33 UTC

(In reply to Zdenek Pytela from comment #7)

> Fangge Jin: 
> > See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
> Does this still mean support for the rdma socket should be allowed because
> there are benefits?
I'm not sure, maybe we can wait for the conclusion of Bug 2063615 - Fail to migate wia RDMA uri: ERROR: result not equal to event_addr_resolved RDMA_CM_EVENT_ADDR_ERROR, then decide what to do with this bug

Comment 12 Zdenek Pytela 2022-03-28 08:39:21 UTC

(In reply to Fangge Jin from comment #8)
> (In reply to Zdenek Pytela from comment #7)
> 
> > Fangge Jin: 
> > > See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
> > Does this still mean support for the rdma socket should be allowed because
> > there are benefits?
> I'm not sure, maybe we can wait for the conclusion of Bug 2063615 - Fail to
> migate wia RDMA uri: ERROR: result not equal to event_addr_resolved
> RDMA_CM_EVENT_ADDR_ERROR, then decide what to do with this bug

Given this information, can we remove the TestBlocker keyword?

Comment 13 Han Han 2022-03-30 03:59:01 UTC

T(In reply to Zdenek Pytela from comment #12)
> (In reply to Fangge Jin from comment #8)
> > (In reply to Zdenek Pytela from comment #7)
> > 
> > > Fangge Jin: 
> > > > See also: Bug 1822518 - RDMA migration succeeds but there is audit error "AVC denied qemu-kvm create netlink_rdma_socket"
> > > Does this still mean support for the rdma socket should be allowed because
> > > there are benefits?
> > I'm not sure, maybe we can wait for the conclusion of Bug 2063615 - Fail to
> > migate wia RDMA uri: ERROR: result not equal to event_addr_resolved
> > RDMA_CM_EVENT_ADDR_ERROR, then decide what to do with this bug
> 
> Given this information, can we remove the TestBlocker keyword?

I disagree with this idea.
From https://bugzilla.redhat.com/show_bug.cgi?id=2063615#c2 , then errors are different when SELinux is enforcing or permissive.
It indicates SELinux also prevents the RDMA migration. So it could be the TestBlocker for RMDA.

Comment 25 Zdenek Pytela 2022-04-05 13:23:32 UTC

*** Bug 2070569 has been marked as a duplicate of this bug. ***

Comment 27 errata-xmlrpc 2022-05-17 15:50:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918

Note You need to log in before you can comment on or make changes to this bug.