RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2172267 - libvirt is unable to start passt process when SELinux is enforcing
Summary: libvirt is unable to start passt process when SELinux is enforcing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libvirt
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Laine Stump
QA Contact: yalzhang@redhat.com
URL:
Whiteboard:
Depends On: 2172268
Blocks: 2179030
TreeView+ depends on / blocked
 
Reported: 2023-02-21 19:15 UTC by Laine Stump
Modified: 2023-06-06 05:45 UTC (History)
9 users (show)

Fixed In Version: libvirt-9.0.0-9.el9_2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2172268 2179030 (view as bug list)
Environment:
Last Closed: 2023-05-09 07:27:59 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-149590 0 None None None 2023-02-21 19:15:53 UTC
Red Hat Product Errata RHBA-2023:2171 0 None None None 2023-05-09 07:28:37 UTC

Description Laine Stump 2023-02-21 19:15:18 UTC 
The initial implementation of passt support in libvirt doesn't have the necessary fu to be able to start the passt process when SELinux is enforcing.

Stefano Brivio (sbrivio) has come up with patches for libvirt, selinux-policy, and passt that make this work properly.
Comment 1 Stefano Brivio 2023-02-22 21:39:02 UTC 
Upstream series, apparently rejected, here:

  https://listman.redhat.com/archives/libvir-list/2023-February/238099.html
Comment 2 Laine Stump 2023-03-09 14:52:04 UTC 
A new upstream series based on email and IRC discussion of the original:

https://listman.redhat.com/archives/libvir-list/2023-March/238571.html

Just to reiterate from the BZ description - the full solution is three-tiered - it also requires small additions to the virt policies in the selinux-policy package (Bug 2172268 - upstream MR posted, waiting for review/push), and selinux policies in the passt package (Bug 2176813 - already pushed upstream).
Comment 3 Laine Stump 2023-03-10 19:55:44 UTC 
Fix pushed upstream as 4 patches:

commit a53c1d6f842ba0f516bbacff8250ba0d7a10074a
Author: Laine Stump <laine>
Date:   Wed Mar 1 11:34:24 2023 -0500

    util: add an API to retrieve the resolved path to a virCommand's binary
    
commit 60afe39576abc9b26f5f8c1dfed39bbc783fb78c
Author: Laine Stump <laine>
Date:   Wed Mar 8 12:50:38 2023 -0500

commit 75056f61f12d6efec51f699f2b901f8d02cd075c
Author: Laine Stump <laine>
Date:   Wed Mar 1 15:34:32 2023 -0500

    security: make it possible to set SELinux label of child process from its binary

commit 8419dd3b69cfada783a2e6df315e45dd294b0d18
Author: Laine Stump <laine>
Date:   Wed Mar 1 15:58:24 2023 -0500

    qemu: set SELinux label of passt process to its own binary's label
Comment 5 Laine Stump 2023-03-13 16:30:39 UTC 
Patches backported to rhel-9.2.0 branch and MR sent:

https://gitlab.com/redhat/rhel/src/libvirt/-/merge_requests/104
Comment 7 Laine Stump 2023-03-14 17:47:30 UTC 
This upstream commit was also added:

commit 50023cb5c64287786df12dbd1f7d2afc15b94a27
Author: Andrea Bolognani <abologna>
Date:   Tue Mar 14 10:41:46 2023 +0100

    rpm: Recommend passt-selinux
Comment 13 yalzhang@redhat.com 2023-03-29 06:59:06 UTC 
Test with root user and unpriviledged user, with selinux enabled, and below scenarios, the result is as expected.

Packages:
$ rpm -q libvirt passt selinux-policy
libvirt-9.0.0-10.el9_2.x86_64
passt-0^20230222.g4ddbcb9-2.el9_2.x86_64
selinux-policy-38.1.11-2.el9_2.noarch

Test scenarios:
1. Start vm with passt backend interface;
2. Hotplug a passt backend interface;
3. kill the passt process during vm is running to check the reconnect feature;
4. VM lifecycle test including save->restore, managedsave, suspend->resume, with the passt backend interface;
Comment 14 yalzhang@redhat.com 2023-03-29 10:12:27 UTC 
For scenario 1, start vm with root user:
# getenforce 
Enforcing

# virsh dumpxml rhel --xpath //interface 
<interface type="user">
  <mac address="52:54:00:4e:92:81"/>
  <source dev="eno1"/>
  <portForward proto="tcp">
    <range start="6000"/>
  </portForward>
  <model type="virtio"/>
  <backend type="passt" logFile="/run/user/107/passt.log"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>

# virsh start rhel 
Domain 'rhel' started

# ps aux -Z | grep usr/bin/passt | grep -v grep 
system_u:system_r:passt_t:s0:c445,c836 qemu 48709 0.0  0.0  76344 37264 ?        Ss   05:59   0:00 /usr/bin/passt --one-off --socket /run/libvirt/qemu/passt/1-rhel-net0.socket --mac-addr 52:54:00:4e:92:81 --pid /run/libvirt/qemu/passt/1-rhel-net0-passt.pid --interface eno1 --log-file /run/user/107/passt.log --tcp-ports 6000

login vm to check the network function, and ip address, default route, nameserver, all results are as expected.

With unpriviledged user:
# machinectl shell test@
Connected to the local host. Press ^] three times within 1s to exit session.
$ id 
uid=1000(test) gid=1000(test) groups=1000(test) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ virsh dumpxml rhel --xpath //interface 
<interface type="user">
  <mac address="52:54:00:4e:92:81"/>
  <source dev="eno1"/>
  <portForward proto="tcp">
    <range start="6001"/>
  </portForward>
  <model type="virtio"/>
  <backend type="passt" logFile="/run/user/1000/passt.log"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>
$ virsh start rhel 
Domain 'rhel' started

$ ps aux -Z | grep usr/bin/passt  | grep -v grep
unconfined_u:unconfined_r:passt_t:s0:c36,c900 test 49091 0.0  0.0 76348 38188 ?  Ss   06:05   0:00 /usr/bin/passt --one-off --socket /run/user/1000/libvirt/qemu/run/passt/3-rhel-net0.socket --mac-addr 52:54:00:4e:92:81 --pid /run/user/1000/libvirt/qemu/run/passt/3-rhel-net0-passt.pid --interface eno1 --log-file /run/user/1000/passt.log --tcp-ports 6001

login vm and check the network function, all as expected.
Destroy the vm, and check the passt process terminated, which is as expected.
Comment 16 errata-xmlrpc 2023-05-09 07:27:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libvirt bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2171
Note You need to log in before you can comment on or make changes to this bug.