2169944 – SELinux is preventing /usr/libexec/qemu-kvm from write access on the sock_file native

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2169944 - SELinux is preventing /usr/libexec/qemu-kvm from write access on the sock_file native

Summary: SELinux is preventing /usr/libexec/qemu-kvm from write access on the sock_fil...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	9.3
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-15 07:57 UTC by Lili Zhu
Modified:	2023-08-16 15:14 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-16 15:14:09 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-1379	0	None	None	None	2023-08-16 15:14:50 UTC
Red Hat Issue Tracker	RHELPLAN-148690	0	None	None	None	2023-02-15 07:59:04 UTC

Description Lili Zhu 2023-02-15 07:57:07 UTC

Description of problem:
SELinux is preventing /usr/libexec/qemu-kvm from write access on the sock_file native

Version-Release number of selected component (if applicable):
selinux-policy-38.1.5-1.el9.noarch
libvirt-9.0.0-3.el9.x86_64
qemu-kvm-7.2.0-6.el9.x86_64

How reproducible:
100%

Steps to Reproduce:
1. define a VM with non-root user
$ virsh list --all
 Id   Name             State
--------------------------------
 1    avocado-vt-vm1   running

2. check the VM audio related definition
...
   <graphics type='vnc' port='5900' autoport='yes' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
    </graphics>
    <sound model='ich9'>
      <alias name='sound0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    </sound>
    <audio id='1' type='pulseaudio' serverName='/run/user/1000/pulse/native'/>
...

3. start the VM
$ virsh start avocado-vt-vm1 
error: Failed to start domain 'avocado-vt-vm1'
error: internal error: process exited while connecting to monitor: pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

4. solve the issues mentioned by setroubleshoot
# setsebool -P virt_use_xserver 1
# ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm
# semodule -X 300 -i my-qemukvm.pp

5. VM can be started
$ virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started

Actual results:
VM can not be started if not solving the issues mentioned by selinux.

Expected results:
VM can not be started without any selinux settings

Additional info:
VM can be started without any selinux settings on RHEL9.0:
https://bugzilla.redhat.com/show_bug.cgi?id=1997725#c16

Comment 1 Lili Zhu 2023-02-15 07:58:08 UTC

Fix a typo in description:
Expected results:
VM can be started without any selinux settings

Comment 2 Milos Malik 2023-02-15 08:05:15 UTC

Please collect the SELinux denials which appear during the scenario and attach them here:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.

Comment 3 Lili Zhu 2023-02-15 08:14:19 UTC

(In reply to Milos Malik from comment #2)
> Please collect the SELinux denials which appear during the scenario and
> attach them here:
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> 
> Thank you.

Sorry， forgot
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=PROCTITLE msg=audit(02/15/2023 00:23:00.763:401) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:23:00.763:401) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7ffe883ab280 a2=0x6e a3=0x7ffe883ab214 items=0 ppid=2381 pid=8476 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c522,c852 key=(null) 
type=AVC msg=audit(02/15/2023 00:23:00.763:401) : avc:  denied  { write } for  pid=8476 comm=qemu-kvm name=native dev="tmpfs" ino=37 scontext=unconfined_u:unconfined_r:svirt_t:s0:c522,c852 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:29:16.348:411) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:29:16.348:411) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7ffd8febb600 a2=0x6e a3=0x7ffd8febb594 items=0 ppid=2381 pid=8665 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c374,c452 key=(null) 
type=AVC msg=audit(02/15/2023 00:29:16.348:411) : avc:  denied  { connectto } for  pid=8665 comm=qemu-kvm path=/run/user/1000/pulse/native scontext=unconfined_u:unconfined_r:svirt_t:s0:c374,c452 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:29:28.549:421) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:29:28.549:421) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7ffd573cb5c0 a2=0x6e a3=0x7ffd573cb554 items=0 ppid=2381 pid=8758 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c798,c975 key=(null) 
type=AVC msg=audit(02/15/2023 00:29:28.549:421) : avc:  denied  { connectto } for  pid=8758 comm=qemu-kvm path=/run/user/1000/pulse/native scontext=unconfined_u:unconfined_r:svirt_t:s0:c798,c975 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:30:03.075:434) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:30:03.075:434) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x13 a1=0x7fff226265d0 a2=0x6e a3=0x7fff22626564 items=0 ppid=2381 pid=8923 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c627,c843 key=(null) 
type=AVC msg=audit(02/15/2023 00:30:03.075:434) : avc:  denied  { connectto } for  pid=8923 comm=qemu-kvm path=/run/user/1000/pulse/native scontext=unconfined_u:unconfined_r:svirt_t:s0:c627,c843 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:484) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:484) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001980 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:484) : avc:  denied  { read } for  pid=9225 comm=threaded-ml name=cookie dev="dm-2" ino=402653328 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:485) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:485) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001c20 a2=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:485) : avc:  denied  { read } for  pid=9225 comm=threaded-ml name=pulse dev="dm-2" ino=402653327 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:486) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:486) : arch=x86_64 syscall=rmdir success=no exit=EACCES(Permission denied) a0=0x7ff1e8001c20 a1=0x7ff1e8001c20 a2=0x0 a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:486) : avc:  denied  { write } for  pid=9225 comm=threaded-ml name=.config dev="dm-2" ino=135 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:487) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:487) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001910 a2=O_RDWR|O_CREAT|O_NOCTTY|O_CLOEXEC a3=0x180 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:487) : avc:  denied  { read write } for  pid=9225 comm=threaded-ml name=cookie dev="dm-2" ino=402653328 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/15/2023 00:36:40.165:488) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra 
type=SYSCALL msg=audit(02/15/2023 00:36:40.165:488) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff1e8001910 a2=O_RDONLY a3=0x0 items=0 ppid=2381 pid=9225 auid=lizhu uid=lizhu gid=lizhu euid=lizhu suid=lizhu fsuid=lizhu egid=lizhu sgid=lizhu fsgid=lizhu tty=(none) ses=3 comm=threaded-ml exe=/usr/libexec/qemu-kvm subj=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 key=(null) 
type=AVC msg=audit(02/15/2023 00:36:40.165:488) : avc:  denied  { read } for  pid=9225 comm=threaded-ml name=cookie dev="dm-2" ino=402653328 scontext=unconfined_u:unconfined_r:svirt_t:s0:c805,c934 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file permissive=0

Note You need to log in before you can comment on or make changes to this bug.