2223727 – Allow access to /dev/udmabuf (dma_device_t) from libvirt qemu (svirt_t)

Bug 2223727 - Allow access to /dev/udmabuf (dma_device_t) from libvirt qemu (svirt_t) [NEEDINFO]

Summary: Allow access to /dev/udmabuf (dma_device_t) from libvirt qemu (svirt_t)

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	9.3
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2032406
TreeView+	depends on / blocked

Reported:	2023-07-18 16:34 UTC by Jonathon Jongsma
Modified:	2023-08-03 21:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	jjongsma: needinfo? (nknazeko)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-162653	0	None	None	None	2023-07-18 16:36:55 UTC

Description Jonathon Jongsma 2023-07-18 16:34:08 UTC

Bug 2032406 adds support for the virtio-gpu 'blob' feature to libvirt. This in turn requires qemu to access /dev/udmabuf. selinux prevents access to this device.

I get the following AVC messages when running in permissive mode:

time->Tue Jul 18 11:29:31 2023
type=PROCTITLE msg=audit(1689697771.305:3860): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D76647061626C6F636B2D746573742C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261
type=SYSCALL msg=audit(1689697771.305:3860): arch=c000003e syscall=257 success=yes exit=33 a0=ffffff9c a1=55fe1ab9bda6 a2=2 a3=0 items=0 ppid=1 pid=267438 auid=21811 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=25 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 key=(null)
type=AVC msg=audit(1689697771.305:3860): avc:  denied  { open } for  pid=267438 comm="qemu-kvm" path="/dev/udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1689697771.305:3860): avc:  denied  { read write } for  pid=267438 comm="qemu-kvm" name="udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1

Comment 1 Nikola Knazekova 2023-07-27 17:36:02 UTC

Hi Jonathon,

here is PR with the fix: https://github.com/fedora-selinux/selinux-policy/pull/1804

Note You need to log in before you can comment on or make changes to this bug.