2271087 – SELinux is preventing qemu-img from 'map' accesses on the anon_inode anon_inode.

Bug 2271087 - SELinux is preventing qemu-img from 'map' accesses on the anon_inode anon_inode.

Summary: SELinux is preventing qemu-img from 'map' accesses on the anon_inode anon_inode.

Keywords:
Status:	CLOSED DUPLICATE of bug 2278123
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:6ad6fe2bbd9c264863d02520f54...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-03-22 15:32 UTC by Geraldo Simião
Modified:	2024-05-02 14:26 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-02 12:57:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: description (1.95 KB, text/plain) 2024-03-22 15:32 UTC, Geraldo Simião	no flags	Details
File: os_info (721 bytes, text/plain) 2024-03-22 15:32 UTC, Geraldo Simião	no flags	Details
View All

Description Geraldo Simião 2024-03-22 15:32:06 UTC

Description of problem:
creating vm at virt-manager (already tryed relabel the system)
SELinux is preventing qemu-img from 'map' accesses on the anon_inode anon_inode.

*****  Plugin catchall (100. confidence) suggests   **************************

Se você acredita nisso qemu-img deve ser permitido map acesso no anon_inode anon_inode por padrão.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso por agora executando:
# ausearch -c 'qemu-img' --raw | audit2allow -M my-qemuimg
# semodule -X 300 -i my-qemuimg.pp

Additional Information:
Source Context                system_u:system_r:virtstoraged_t:s0
Target Context                system_u:object_r:io_uring_t:s0
Target Objects                anon_inode [ anon_inode ]
Source                        qemu-img
Source Path                   qemu-img
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.15-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.15-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.8.1-300.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Mar 20 04:39:30 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-03-22 12:23:41 -03
Last Seen                     2024-03-22 12:23:41 -03
Local ID                      a15262d2-fb7c-4fb6-bc9f-87f5d73b07b7

Raw Audit Messages
type=AVC msg=audit(1711121021.454:246): avc:  denied  { map } for  pid=3891 comm="qemu-img" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=30663 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1


Hash: qemu-img,virtstoraged_t,io_uring_t,anon_inode,map

Version-Release number of selected component:
selinux-policy-targeted-40.15-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing qemu-img from 'map' accesses on the anon_inode anon_inode.
package:        selinux-policy-targeted-40.15-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.8.1-300.fc40.x86_64
comment:        creating vm at virt-manager (already tryed relabel the system)
component:      selinux-policy

Comment 1 Geraldo Simião 2024-03-22 15:32:09 UTC

Created attachment 2023092 [details]
File: description

Comment 2 Geraldo Simião 2024-03-22 15:32:10 UTC

Created attachment 2023093 [details]
File: os_info

Comment 3 Zdenek Pytela 2024-05-02 12:57:31 UTC


*** This bug has been marked as a duplicate of bug 2278123 ***

Comment 4 Stefan Berger 2024-05-02 13:26:49 UTC

(In reply to Zdenek Pytela from comment #3)
> 
> *** This bug has been marked as a duplicate of bug 2278123 ***

This bug here is about qemu-img and presumably the other bug is about swtpm. How are they related that one can say this one is a duplicate of the other? swtpm has its own SELinux policy package swtpm-selinux that handles specifics for swtpm, including rules for interactions of libvirt due to usage of swtpm. But this here is about qemu-img...

Comment 5 Zdenek Pytela 2024-05-02 14:04:12 UTC

There is a PR for

    type=AVC msg=audit(04/24/2024 14:19:15.239:260) : avc: denied { create } for pid=4518 comm=qemu-img anonclass=[io_uring] scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1

reported in https://bugzilla.redhat.com/show_bug.cgi?id=2278123
There may be other denials in that one. Hopefully we are getting close to the resolution of all reported problems

Comment 6 Stefan Berger 2024-05-02 14:26:36 UTC

(In reply to Zdenek Pytela from comment #5)
> There is a PR for
> 
>     type=AVC msg=audit(04/24/2024 14:19:15.239:260) : avc: denied { create }
> for pid=4518 comm=qemu-img anonclass=[io_uring]
> scontext=system_u:system_r:virtstoraged_t:s0
> tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1
> reported in https://bugzilla.redhat.com/show_bug.cgi?id=2278123

Are you referring to my PR in this comment 16? https://bugzilla.redhat.com/show_bug.cgi?id=2278123#c16

" Anyway, a candidate for a policy update is here now: https://github.com/stefanberger/swtpm/pull/850 "

If so, this PR only tries to resolve interactions of libvirt due to swtpm usage. I do not see that qemu-img is an interaction of libvirt due to swtpm. However, I may have encountered virstoraged_t related issues yesterday while creating the new SELinux policy for swtpm but in the end, when the policy was complete, I did not see the issue anymore for sure. I could add a rule that resolves this qemu-img issue to the swtpm SELinux policy but it would not belong there.

The creator of this issue here reported already success in a related issue: https://bugzilla.redhat.com/show_bug.cgi?id=2271074

So maybe this issue here has disappeared and was some sort of side effect of the backlevel swtpm SELinux policy.

Maybe the author of this issue has a comment.

Note You need to log in before you can comment on or make changes to this bug.