The following avc denials happens when running https://gitlab.com/redhat/centos-stream/tests/kernel/kernel-tests/-/tree/main/networking/vnic/sriov?ref_type=heads SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.2-1.fc40.noarch ---- time->Fri Oct 20 01:01:21 2023 type=AVC msg=audit(1697778081.627:40940): avc: denied { create } for pid=2215325 comm="qemu-system-x86" anonclass=[io_uring] scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:21 2023 type=AVC msg=audit(1697778081.627:40941): avc: denied { map } for pid=2215325 comm="qemu-system-x86" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=415852 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:21 2023 type=AVC msg=audit(1697778081.627:40942): avc: denied { read write } for pid=2215325 comm="qemu-system-x86" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=415852 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:22 2023 type=AVC msg=audit(1697778082.758:40946): avc: denied { unlink } for pid=2215300 comm="rpc-virtqemud" name="g1.xml" dev="dm-0" ino=478176137 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1 ---- time->Fri Oct 20 01:01:38 2023 type=AVC msg=audit(1697778098.265:42790): avc: denied { create } for pid=2219412 comm="qemu-system-i38" anonclass=[io_uring] scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:38 2023 type=AVC msg=audit(1697778098.265:42791): avc: denied { map } for pid=2219412 comm="qemu-system-i38" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=399895 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:38 2023 type=AVC msg=audit(1697778098.265:42792): avc: denied { read write } for pid=2219412 comm="qemu-system-i38" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=399895 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.495:42793): avc: denied { execute } for pid=2215300 comm="rpc-virtqemud" name="swtpm" dev="dm-0" ino=6665196 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.502:42794): avc: denied { execute_no_trans } for pid=2219432 comm="swtpm_setup" path="/usr/bin/swtpm" dev="dm-0" ino=6665196 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.502:42795): avc: denied { map } for pid=2219432 comm="swtpm" path="/usr/bin/swtpm" dev="dm-0" ino=6665196 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.625:42801): avc: denied { read } for pid=2219444 comm="tc" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.670:42805): avc: denied { unmount } for pid=2219453 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.720:42806): avc: denied { bpf } for pid=2215300 comm="rpc-virtqemud" capability=39 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 01:01:39 2023 type=AVC msg=audit(1697778099.720:42807): avc: denied { perfmon } for pid=2215300 comm="rpc-virtqemud" capability=38 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 01:01:40 2023 type=AVC msg=audit(1697778100.104:42826): avc: denied { create } for pid=2219495 comm="qemu-system-x86" anonclass=[io_uring] scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:40 2023 type=AVC msg=audit(1697778100.104:42827): avc: denied { map } for pid=2219495 comm="qemu-system-x86" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=420002 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:40 2023 type=AVC msg=audit(1697778100.104:42828): avc: denied { read write } for pid=2219495 comm="qemu-system-x86" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=420002 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 01:01:42 2023 type=AVC msg=audit(1697778102.392:42834): avc: denied { read } for pid=2219545 comm="tc" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1 ---- time->Fri Oct 20 01:01:42 2023 type=AVC msg=audit(1697778102.401:42835): avc: denied { unmount } for pid=2219548 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Fri Oct 20 01:01:42 2023 type=AVC msg=audit(1697778102.450:42836): avc: denied { bpf } for pid=2215300 comm="rpc-virtqemud" capability=39 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 01:01:42 2023 type=AVC msg=audit(1697778102.450:42837): avc: denied { perfmon } for pid=2215300 comm="rpc-virtqemud" capability=38 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 01:03:12 2023 type=AVC msg=audit(1697778192.874:42856): avc: denied { add_name } for pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 01:03:12 2023 type=AVC msg=audit(1697778192.874:42857): avc: denied { create } for pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:03:12 2023 type=AVC msg=audit(1697778192.874:42858): avc: denied { write } for pid=2215300 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:03:12 2023 type=AVC msg=audit(1697778192.874:42859): avc: denied { open } for pid=2215300 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Fri Oct 20 01:03:15 2023 type=AVC msg=audit(1697778195.553:42860): avc: denied { remove_name } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 01:03:15 2023 type=AVC msg=audit(1697778195.553:42861): avc: denied { unlink } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:03:27 2023 type=AVC msg=audit(1697778207.097:42863): avc: denied { add_name } for pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 01:03:29 2023 type=AVC msg=audit(1697778209.554:42864): avc: denied { remove_name } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24438 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 01:03:41 2023 type=AVC msg=audit(1697778221.098:42870): avc: denied { open } for pid=2215300 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Fri Oct 20 01:18:25 2023 type=AVC msg=audit(1697779105.045:42872): avc: denied { create } for pid=2215300 comm="rpc-virtqemud" name="g1.xml" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1 Reproducible: Always
test logs: https://datawarehouse.cki-project.org/kcidb/tests/9981074
More denials that might be related: ---- time->Fri Oct 20 01:18:25 2023 type=AVC msg=audit(1697779105.045:42872): avc: denied { create } for pid=2215300 comm="rpc-virtqemud" name="g1.xml" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1 ---- time->Fri Oct 20 01:18:27 2023 type=AVC msg=audit(1697779107.909:42877): avc: denied { create } for pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:18:27 2023 type=AVC msg=audit(1697779107.909:42878): avc: denied { write } for pid=2215300 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=24612 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 01:18:32 2023 type=AVC msg=audit(1697779112.343:42879): avc: denied { unlink } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24612 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
These seem to be quite clear: allow virtqemud_t io_uring_t:anon_inode { create map read write }; allow virtqemud_t proc_net_t:lnk_file read; allow virtqemud_t svirt_devpts_t:chr_file open; this one probably needs just a transition: allow virtqemud_t swtpm_exec_t:file { execute execute_no_trans }; allow virtqemud_t swtpm_exec_t:file map; and these require additional information: allow virtqemud_t device_t:filesystem unmount; allow virtqemud_t self:capability2 { bpf perfmon }; allow virtqemud_t var_lock_t:dir { add_name remove_name }; allow virtqemud_t var_lock_t:file { create unlink write }; allow virtqemud_t virt_etc_rw_t:lnk_file { create unlink }; This cil module should help with the first half: # cat local_virtqemud.cil (allow virtqemud_t io_uring_t (anon_inode (create map read write))) (allow virtqemud_t proc_net_t (lnk_file (read))) (allow virtqemud_t svirt_devpts_t (chr_file (open))) (typetransition virtqemud_t swtpm_exec_t process swtpm_t) (allow virtqemud_t swtpm_exec_t (file (getattr open map read execute ioctl))) (allow virtqemud_t swtpm_t (process (transition))) # semodule -i local_virtqemud.cil
Adding the logs with full audit enabled: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.2-1.fc40.noarch ---- time->Fri Oct 20 11:15:39 2023 type=PROCTITLE msg=audit(1697814939.616:2200): proctitle=2F7573722F62696E2F71656D752D73797374656D2D69333836002D53002D6E6F2D757365722D636F6E666967002D6E6F64656661756C7473002D6E6F67726170686963002D6D616368696E65006E6F6E652C616363656C3D6B766D3A746367002D716D7000756E69783A2F7661722F6C69622F6C6962766972742F71656D752F type=SYSCALL msg=audit(1697814939.616:2200): arch=c000003e syscall=425 success=yes exit=3 a0=80 a1=7ffd368a2ca0 a2=7ffd368a2ca0 a3=4 items=0 ppid=8945 pid=12508 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-system-i38" exe="/usr/bin/qemu-system-i386" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814939.616:2200): avc: denied { create } for pid=12508 comm="qemu-system-i38" anonclass=[io_uring] scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 11:15:39 2023 type=PROCTITLE msg=audit(1697814939.616:2201): proctitle=2F7573722F62696E2F71656D752D73797374656D2D69333836002D53002D6E6F2D757365722D636F6E666967002D6E6F64656661756C7473002D6E6F67726170686963002D6D616368696E65006E6F6E652C616363656C3D6B766D3A746367002D716D7000756E69783A2F7661722F6C69622F6C6962766972742F71656D752F type=MMAP msg=audit(1697814939.616:2201): fd=3 flags=0x8001 type=SYSCALL msg=audit(1697814939.616:2201): arch=c000003e syscall=9 success=yes exit=139866834399232 a0=0 a1=1240 a2=3 a3=8001 items=0 ppid=8945 pid=12508 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-system-i38" exe="/usr/bin/qemu-system-i386" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814939.616:2201): avc: denied { read write } for pid=12508 comm="qemu-system-i38" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=23136 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 type=AVC msg=audit(1697814939.616:2201): avc: denied { map } for pid=12508 comm="qemu-system-i38" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=23136 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.492:2202): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697814941.492:2202): item=0 name="/usr/bin/swtpm" inode=6684581 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swtpm_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697814941.492:2202): cwd="/" type=SYSCALL msg=audit(1697814941.492:2202): arch=c000003e syscall=21 success=yes exit=0 a0=7f4fa4003609 a1=1 a2=8 a3=1 items=1 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814941.492:2202): avc: denied { execute } for pid=8945 comm="rpc-virtqemud" name="swtpm" dev="dm-0" ino=6684581 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.501:2203): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D7072696E742D6361706162696C6974696573 type=PATH msg=audit(1697814941.501:2203): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=23069154 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697814941.501:2203): item=0 name="/usr/bin/swtpm" inode=6684581 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swtpm_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697814941.501:2203): cwd="/" type=EXECVE msg=audit(1697814941.501:2203): argc=3 a0="/usr/bin/swtpm" a1="socket" a2="--print-capabilities" type=SYSCALL msg=audit(1697814941.501:2203): arch=c000003e syscall=59 success=yes exit=0 a0=5557f988d8e0 a1=5557f988e150 a2=7fffdf647b50 a3=0 items=2 ppid=12546 pid=12547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814941.501:2203): avc: denied { map } for pid=12547 comm="swtpm" path="/usr/bin/swtpm" dev="dm-0" ino=6684581 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697814941.501:2203): avc: denied { execute_no_trans } for pid=12547 comm="swtpm_setup" path="/usr/bin/swtpm" dev="dm-0" ino=6684581 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.649:2210): proctitle=7463007164697363006164640064657600766E65743000726F6F740068616E646C6500303A006E6F7175657565 type=PATH msg=audit(1697814941.649:2210): item=0 name="/proc/net/psched" inode=4026532097 dev=00:15 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697814941.649:2210): cwd="/" type=SYSCALL msg=audit(1697814941.649:2210): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=55e5a591ab22 a2=0 a3=0 items=1 ppid=8945 pid=12563 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tc" exe="/usr/sbin/tc" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814941.649:2210): avc: denied { read } for pid=12563 comm="tc" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.687:2214): proctitle=7463007164697363006164640064657600766E65743100726F6F740068616E646C6500303A006E6F7175657565 type=PATH msg=audit(1697814941.687:2214): item=0 name="/proc/net/psched" inode=4026532097 dev=00:15 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697814941.687:2214): cwd="/" type=SYSCALL msg=audit(1697814941.687:2214): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=55d74fb63b22 a2=0 a3=0 items=1 ppid=8945 pid=12577 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tc" exe="/usr/sbin/tc" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814941.687:2214): avc: denied { read } for pid=12577 comm="tc" name="net" dev="proc" ino=4026531845 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.695:2215): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697814941.695:2215): item=0 name="/dev" inode=1 dev=00:05 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=NORMAL cap_fe=? cap_fver=? cap_fp=? cap_fi=? type=CWD msg=audit(1697814941.695:2215): cwd="/" type=SYSCALL msg=audit(1697814941.695:2215): arch=c000003e syscall=166 success=yes exit=0 a0=7f4fc438a043 a1=2 a2=7f4fc7580000 a3=2000 items=1 ppid=1 pid=12581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814941.695:2215): avc: denied { unmount } for pid=12581 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.732:2216): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1697814941.732:2216): arch=c000003e syscall=321 success=yes exit=24 a0=0 a1=7f4fbfffe420 a2=90 a3=1 items=0 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814941.732:2216): avc: denied { bpf } for pid=8945 comm="rpc-virtqemud" capability=39 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 11:15:41 2023 type=PROCTITLE msg=audit(1697814941.732:2217): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1697814941.732:2217): arch=c000003e syscall=321 success=yes exit=25 a0=5 a1=7f4fbfffe180 a2=90 a3=0 items=0 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=BPF msg=audit(1697814941.732:2217): prog-id=976 op=LOAD type=AVC msg=audit(1697814941.732:2217): avc: denied { perfmon } for pid=8945 comm="rpc-virtqemud" capability=38 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 11:15:42 2023 type=PROCTITLE msg=audit(1697814942.134:2235): proctitle=2F7573722F62696E2F71656D752D73797374656D2D7838365F3634002D53002D6E6F2D757365722D636F6E666967002D6E6F64656661756C7473002D6E6F67726170686963002D6D616368696E65006E6F6E652C616363656C3D6B766D3A746367002D716D7000756E69783A2F7661722F6C69622F6C6962766972742F71656D type=SYSCALL msg=audit(1697814942.134:2235): arch=c000003e syscall=425 success=yes exit=3 a0=80 a1=7ffc89944830 a2=7ffc89944830 a3=4 items=0 ppid=8945 pid=12614 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814942.134:2235): avc: denied { create } for pid=12614 comm="qemu-system-x86" anonclass=[io_uring] scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 11:15:42 2023 type=PROCTITLE msg=audit(1697814942.134:2236): proctitle=2F7573722F62696E2F71656D752D73797374656D2D7838365F3634002D53002D6E6F2D757365722D636F6E666967002D6E6F64656661756C7473002D6E6F67726170686963002D6D616368696E65006E6F6E652C616363656C3D6B766D3A746367002D716D7000756E69783A2F7661722F6C69622F6C6962766972742F71656D type=MMAP msg=audit(1697814942.134:2236): fd=3 flags=0x8001 type=SYSCALL msg=audit(1697814942.134:2236): arch=c000003e syscall=9 success=yes exit=140646514470912 a0=0 a1=1240 a2=3 a3=8001 items=0 ppid=8945 pid=12614 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-system-x86" exe="/usr/bin/qemu-system-x86_64" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814942.134:2236): avc: denied { read write } for pid=12614 comm="qemu-system-x86" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=20935 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 type=AVC msg=audit(1697814942.134:2236): avc: denied { map } for pid=12614 comm="qemu-system-x86" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=20935 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- time->Fri Oct 20 11:15:44 2023 type=PROCTITLE msg=audit(1697814944.538:2242): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1697814944.538:2242): arch=c000003e syscall=321 success=yes exit=27 a0=0 a1=7f4fc4bfd420 a2=90 a3=1 items=0 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697814944.538:2242): avc: denied { bpf } for pid=8945 comm="rpc-virtqemud" capability=39 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 11:15:44 2023 type=PROCTITLE msg=audit(1697814944.538:2243): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1697814944.538:2243): arch=c000003e syscall=321 success=yes exit=29 a0=5 a1=7f4fc4bfd180 a2=90 a3=0 items=0 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=BPF msg=audit(1697814944.538:2243): prog-id=977 op=LOAD type=AVC msg=audit(1697814944.538:2243): avc: denied { perfmon } for pid=8945 comm="rpc-virtqemud" capability=38 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=capability2 permissive=1 ---- time->Fri Oct 20 11:17:15 2023 type=PROCTITLE msg=audit(1697815035.071:2267): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697815035.071:2267): item=1 name="/var/lock/LCK.._pts_0" inode=3546 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697815035.071:2267): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697815035.071:2267): cwd="/" type=SYSCALL msg=audit(1697815035.071:2267): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f4fc0009bd0 a2=c1 a3=1a4 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697815035.071:2267): avc: denied { write } for pid=8945 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=3546 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697815035.071:2267): avc: denied { create } for pid=8945 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697815035.071:2267): avc: denied { add_name } for pid=8945 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 11:17:15 2023 type=PROCTITLE msg=audit(1697815035.071:2268): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697815035.071:2268): item=1 name="/dev/pts/0" inode=3 dev=00:18 mode=020620 ouid=107 ogid=5 rdev=88:00 obj=system_u:object_r:svirt_devpts_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697815035.071:2268): item=0 name="/dev/pts/" inode=1 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:devpts_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697815035.071:2268): cwd="/" type=SYSCALL msg=audit(1697815035.071:2268): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f4f740179f0 a2=142 a3=0 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697815035.071:2268): avc: denied { open } for pid=8945 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Fri Oct 20 11:17:18 2023 type=PROCTITLE msg=audit(1697815038.033:2271): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697815038.033:2271): item=1 name="/var/lock/LCK.._pts_0" inode=3546 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697815038.033:2271): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697815038.033:2271): cwd="/" type=SYSCALL msg=audit(1697815038.033:2271): arch=c000003e syscall=87 success=yes exit=0 a0=5628c8795db0 a1=5628c87994b0 a2=7f4aa28c1c49 a3=5628c87994c0 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697815038.033:2271): avc: denied { unlink } for pid=8945 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=3546 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697815038.033:2271): avc: denied { remove_name } for pid=8945 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=3546 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 11:17:19 2023 type=PROCTITLE msg=audit(1697815039.080:2272): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697815039.080:2272): item=1 name="/var/lock/LCK.._pts_0" inode=3548 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697815039.080:2272): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697815039.080:2272): cwd="/" type=SYSCALL msg=audit(1697815039.080:2272): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f4fa8001e70 a2=c1 a3=1a4 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697815039.080:2272): avc: denied { write } for pid=8945 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=3548 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697815039.080:2272): avc: denied { create } for pid=8945 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 11:29:36 2023 type=PROCTITLE msg=audit(1697815776.605:2278): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697815776.605:2278): item=1 name="/var/lock/LCK.._pts_0" inode=3596 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697815776.605:2278): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697815776.605:2278): cwd="/" type=SYSCALL msg=audit(1697815776.605:2278): arch=c000003e syscall=87 success=yes exit=0 a0=5628c87a1f10 a1=5628c87a1b00 a2=7f4ac689d771 a3=5628c87a1b10 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697815776.605:2278): avc: denied { remove_name } for pid=8945 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=3596 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 11:29:37 2023 type=PROCTITLE msg=audit(1697815777.655:2279): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697815777.655:2279): item=1 name="/var/lock/LCK.._pts_1" inode=3600 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697815777.655:2279): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697815777.655:2279): cwd="/" type=SYSCALL msg=audit(1697815777.655:2279): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f4fc0009c00 a2=c1 a3=1a4 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697815777.655:2279): avc: denied { add_name } for pid=8945 comm="rpc-virtqemud" name="LCK.._pts_1" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 ---- time->Fri Oct 20 11:35:10 2023 type=PROCTITLE msg=audit(1697816110.850:2280): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697816110.850:2280): item=2 name="/etc/libvirt/qemu/autostart/g1.xml" inode=125830255 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:virt_etc_rw_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697816110.850:2280): item=1 name="/etc/libvirt/qemu/g1.xml" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697816110.850:2280): item=0 name="/etc/libvirt/qemu/autostart/" inode=125830244 dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:virt_etc_rw_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697816110.850:2280): cwd="/" type=SYSCALL msg=audit(1697816110.850:2280): arch=c000003e syscall=88 success=yes exit=0 a0=5628c87a0380 a1=5628c8797fe0 a2=0 a3=0 items=3 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697816110.850:2280): avc: denied { create } for pid=8945 comm="rpc-virtqemud" name="g1.xml" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1 ########################## SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.2-1.fc40.noarch ---- time->Fri Oct 20 11:35:13 2023 type=PROCTITLE msg=audit(1697816113.976:2285): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697816113.976:2285): item=1 name="/var/lock/LCK.._pts_0" inode=3606 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697816113.976:2285): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697816113.976:2285): cwd="/" type=SYSCALL msg=audit(1697816113.976:2285): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f4fa40537c0 a2=c1 a3=1a4 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697816113.976:2285): avc: denied { write } for pid=8945 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=3606 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697816113.976:2285): avc: denied { create } for pid=8945 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- time->Fri Oct 20 11:35:13 2023 type=PROCTITLE msg=audit(1697816113.976:2286): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697816113.976:2286): item=1 name="/dev/pts/0" inode=3 dev=00:18 mode=020620 ouid=107 ogid=5 rdev=88:00 obj=system_u:object_r:svirt_devpts_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697816113.976:2286): item=0 name="/dev/pts/" inode=1 dev=00:18 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:devpts_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697816113.976:2286): cwd="/" type=SYSCALL msg=audit(1697816113.976:2286): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f4f740179f0 a2=142 a3=0 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697816113.976:2286): avc: denied { open } for pid=8945 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Fri Oct 20 11:35:18 2023 type=PROCTITLE msg=audit(1697816118.362:2287): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1697816118.362:2287): item=1 name="/var/lock/LCK.._pts_0" inode=3606 dev=00:19 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1697816118.362:2287): item=0 name="/var/lock/" inode=31 dev=00:19 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1697816118.362:2287): cwd="/" type=SYSCALL msg=audit(1697816118.362:2287): arch=c000003e syscall=87 success=yes exit=0 a0=5628c879ab40 a1=5628c87a2860 a2=7f4ac689b062 a3=5628c87a2870 items=2 ppid=1 pid=8945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1697816118.362:2287): avc: denied { unlink } for pid=8945 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=3606 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
This is a PR which addresses most of the reported problems: https://github.com/fedora-selinux/selinux-policy/pull/1956
Can you please reproduce your scenario with selinux-policy-40.7?
I still see the following denials: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.7-1.fc40.noarch ---- time->Thu Dec 21 10:07:17 2023 type=AVC msg=audit(1703171237.283:41809): avc: denied { execute } for pid=1835264 comm="rpc-virtqemud" name="swtpm" dev="dm-0" ino=29284866 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Thu Dec 21 10:07:17 2023 type=AVC msg=audit(1703171237.294:41810): avc: denied { execute_no_trans } for pid=1838965 comm="swtpm_setup" path="/usr/bin/swtpm" dev="dm-0" ino=29284866 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- time->Thu Dec 21 10:07:17 2023 type=AVC msg=audit(1703171237.295:41811): avc: denied { map } for pid=1838965 comm="swtpm" path="/usr/bin/swtpm" dev="dm-0" ino=29284866 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:swtpm_exec_t:s0 tclass=file permissive=1 ---- https://datawarehouse.cki-project.org/kcidb/tests/10715066 time->Thu Dec 21 10:07:17 2023 type=AVC msg=audit(1703171237.488:41820): avc: denied { unmount } for pid=1838987 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Thu Dec 21 10:07:20 2023 type=AVC msg=audit(1703171240.568:41844): avc: denied { unmount } for pid=1839081 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Thu Dec 21 10:08:51 2023 type=AVC msg=audit(1703171331.271:41863): avc: denied { open } for pid=1835264 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Thu Dec 21 10:20:47 2023 type=AVC msg=audit(1703172047.128:41871): avc: denied { create } for pid=1835264 comm="rpc-virtqemud" name="g1.xml" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1
This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle. Changing version to 40.
Bruno, I think all problems but one with device_t will be addressed by the next build. Please retest after updating selinux-policy.
Zdenek, it seems we still hit this issue or do you think this is something else? SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.15-1.fc41.noarch ---- time->Sun Apr 14 13:03:16 2024 type=AVC msg=audit(1713114196.073:40997): avc: denied { relabelfrom } for pid=1092443 comm="rpc-virtqemud" name="1-g1" dev="tmpfs" ino=23572 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 ---- time->Sun Apr 14 13:03:16 2024 type=AVC msg=audit(1713114196.214:41004): avc: denied { unmount } for pid=1092479 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Sun Apr 14 13:03:16 2024 type=AVC msg=audit(1713114196.253:41016): avc: denied { setattr } for pid=1092488 comm="rpc-virtqemud" name="userfaultfd" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c626,c832 tclass=chr_file permissive=1 ---- time->Sun Apr 14 13:03:18 2024 type=AVC msg=audit(1713114198.521:41041): avc: denied { setattr } for pid=1092567 comm="rpc-virtqemud" name="userfaultfd" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c117,c994 tclass=chr_file permissive=1 ---- time->Sun Apr 14 13:04:48 2024 type=AVC msg=audit(1713114288.943:41050): avc: denied { open } for pid=1088728 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Sun Apr 14 13:15:06 2024 type=AVC msg=audit(1713114906.656:41060): avc: denied { create } for pid=1088728 comm="rpc-virtqemud" name="g1.xml" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1
(In reply to Bruno Goncalves from comment #10) > Zdenek, > > it seems we still hit this issue or do you think this is something else? With rpc-virtqemud-unmount aside, these look new. Can I see audit logs, with full auditing enabled if possible?
does this help? SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-40.16-1.fc41.noarch ---- time->Mon Apr 15 10:23:34 2024 type=PROCTITLE msg=audit(1713191014.644:3156): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1713191014.644:3156): item=0 name="/dev" inode=1 dev=00:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=NORMAL cap_fe=? cap_fver=? cap_fp=? cap_fi=? type=CWD msg=audit(1713191014.644:3156): cwd="/" type=SYSCALL msg=audit(1713191014.644:3156): arch=c000003e syscall=166 success=yes exit=0 a0=7f8d7e98b1ee a1=2 a2=7f8d8136b000 a3=2000 items=1 ppid=1 pid=12999 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1713191014.644:3156): avc: denied { unmount } for pid=12999 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Mon Apr 15 10:23:34 2024 type=PROCTITLE msg=audit(1713191014.732:3168): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1713191014.732:3168): item=0 name="/dev/userfaultfd" inode=6 dev=00:34 mode=020600 ouid=0 ogid=0 rdev=0a:7e obj=system_u:object_r:svirt_image_t:s0:c634,c682 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1713191014.732:3168): cwd="/" type=SYSCALL msg=audit(1713191014.732:3168): arch=c000003e syscall=92 success=yes exit=0 a0=7f8d580583f0 a1=6b a2=6b a3=0 items=1 ppid=9335 pid=13013 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1713191014.732:3168): avc: denied { setattr } for pid=13013 comm="rpc-virtqemud" name="userfaultfd" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c634,c682 tclass=chr_file permissive=1 ---- time->Mon Apr 15 10:23:38 2024 type=PROCTITLE msg=audit(1713191018.515:3182): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1713191018.515:3182): item=0 name="/dev" inode=1 dev=00:06 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:device_t:s0 nametype=NORMAL cap_fe=? cap_fver=? cap_fp=? cap_fi=? type=CWD msg=audit(1713191018.515:3182): cwd="/" type=SYSCALL msg=audit(1713191018.515:3182): arch=c000003e syscall=166 success=yes exit=0 a0=7f8d7e98b1ee a1=2 a2=7f8d8136b000 a3=2000 items=1 ppid=13086 pid=13087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1713191018.515:3182): avc: denied { unmount } for pid=13087 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- time->Mon Apr 15 10:23:38 2024 type=PROCTITLE msg=audit(1713191018.600:3194): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1713191018.600:3194): item=0 name="/dev/userfaultfd" inode=6 dev=00:37 mode=020600 ouid=0 ogid=0 rdev=0a:7e obj=system_u:object_r:svirt_image_t:s0:c258,c642 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1713191018.600:3194): cwd="/" type=SYSCALL msg=audit(1713191018.600:3194): arch=c000003e syscall=92 success=yes exit=0 a0=7f8d68040550 a1=6b a2=6b a3=0 items=1 ppid=9335 pid=13099 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1713191018.600:3194): avc: denied { setattr } for pid=13099 comm="rpc-virtqemud" name="userfaultfd" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c258,c642 tclass=chr_file permissive=1 ---- time->Mon Apr 15 10:25:09 2024 type=PROCTITLE msg=audit(1713191109.810:3209): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1713191109.810:3209): item=1 name="/dev/pts/0" inode=3 dev=00:1a mode=020620 ouid=107 ogid=5 rdev=88:00 obj=system_u:object_r:svirt_devpts_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1713191109.810:3209): item=0 name="/dev/pts/" inode=1 dev=00:1a mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:devpts_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1713191109.810:3209): cwd="/" type=SYSCALL msg=audit(1713191109.810:3209): arch=c000003e syscall=257 success=yes exit=22 a0=ffffff9c a1=7f8d1401b8c0 a2=142 a3=0 items=2 ppid=1 pid=9335 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1713191109.810:3209): avc: denied { open } for pid=9335 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- time->Mon Apr 15 10:36:59 2024 type=PROCTITLE msg=audit(1713191819.972:3215): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1713191819.972:3215): item=2 name="/etc/libvirt/qemu/autostart/g1.xml" inode=1342183916 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:virt_etc_rw_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1713191819.972:3215): item=1 name="/etc/libvirt/qemu/g1.xml" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1713191819.972:3215): item=0 name="/etc/libvirt/qemu/autostart/" inode=1342183910 dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:virt_etc_rw_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1713191819.972:3215): cwd="/" type=SYSCALL msg=audit(1713191819.972:3215): arch=c000003e syscall=88 success=yes exit=0 a0=7f8d54000cb0 a1=56013a5c00d0 a2=0 a3=0 items=3 ppid=1 pid=9335 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtqe" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1713191819.972:3215): avc: denied { create } for pid=9335 comm="prio-rpc-virtqe" name="g1.xml" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file permissive=1
I believe that all reported problems except these two: type=AVC msg=audit(1697778192.874:42856): avc: denied { add_name } for pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1697778192.874:42858): avc: denied { write } for pid=2215300 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697778195.553:42860): avc: denied { remove_name } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1697778195.553:42861): avc: denied { unlink } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697778192.874:42859): avc: denied { open } for pid=2215300 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 will be addressed by the next build or this coprbuild: https://github.com/fedora-selinux/selinux-policy/pull/2106/checks?check_run_id=24562453131 Closing this bz, there are still a few more which will be resolved later: https://bugzilla.redhat.com/show_bug.cgi?id=2273960 (general) https://bugzilla.redhat.com/show_bug.cgi?id=2276917 (hooks) https://bugzilla.redhat.com/show_bug.cgi?id=2278889 (swtpm)