Description of problem: Since I upgraded to Fedora 40, I see lots of AVC each time I start virt-manager and run a virtual machine. $ sudo ausearch -i -m AVC -ts boot type=AVC msg=audit(8.4.2024 12:29:50.385:499) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:53.836:502) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:56.098:505) : avc: denied { relabelfrom } for pid=46146 comm=rpc-virtqemud name=1-f40 dev="tmpfs" ino=3067 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:56.209:511) : avc: denied { unmount } for pid=46166 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:56.212:512) : avc: denied { setattr } for pid=46169 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:56.234:525) : avc: denied { setattr } for pid=46179 comm=rpc-virtqemud name=userfaultfd dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c443,c573 tclass=chr_file permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:56.837:537) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:29:59.838:538) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:35:09.182:542) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:38:36.422:547) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:41:33.643:552) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(8.4.2024 12:43:45.774:562) : avc: denied { getattr } for pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 On a fresh F40 installation on a different laptop, I see slightly different errors: ---- type=AVC msg=audit(04/08/2024 07:01:30.865:274) : avc: denied { create } for pid=4176 comm=qemu-img anonclass=[io_uring] scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:30.865:275) : avc: denied { map } for pid=4176 comm=qemu-img path=anon_inode:[io_uring] dev="anon_inodefs" ino=32650 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:30.865:276) : avc: denied { read write } for pid=4176 comm=qemu-img path=anon_inode:[io_uring] dev="anon_inodefs" ino=32650 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:31.832:279) : avc: denied { relabelfrom } for pid=4187 comm=rpc-virtqemud name=1-f40 dev="tmpfs" ino=2800 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:31.985:285) : avc: denied { unmount } for pid=4206 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:31.989:286) : avc: denied { setattr } for pid=4211 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:32.018:300) : avc: denied { setattr } for pid=4223 comm=rpc-virtqemud name=userfaultfd dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c255,c586 tclass=chr_file permissive=1 ---- type=AVC msg=audit(04/08/2024 07:06:22.768:325) : avc: denied { relabelfrom } for pid=4920 comm=rpc-virtqemud name=2-f40 dev="tmpfs" ino=2901 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(04/08/2024 07:06:22.794:329) : avc: denied { unmount } for pid=4930 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(04/08/2024 07:06:22.797:330) : avc: denied { setattr } for pid=4931 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 ---- type=AVC msg=audit(04/08/2024 07:06:22.836:343) : avc: denied { setattr } for pid=4945 comm=rpc-virtqemud name=userfaultfd dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c292,c580 tclass=chr_file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-40.15-1.fc40.noarch virt-manager-4.1.0-5.fc40.noarch libvirt-daemon-10.1.0-1.fc40.x86_64 qemu-kvm-8.2.2-1.fc40.x86_64 How reproducible: always Steps to Reproduce: 1. run virt-manager 2. start a VM
*** Bug 2270225 has been marked as a duplicate of this bug. ***
I believe that most of the reported problems will be addressed by the next build or this coprbuild: https://github.com/fedora-selinux/selinux-policy/pull/2106/checks?check_run_id=24562453131 These remain: ---- type=AVC msg=audit(04/08/2024 07:01:31.832:279) : avc: denied { relabelfrom } for pid=4187 comm=rpc-virtqemud name=1-f40 dev="tmpfs" ino=2800 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:31.985:285) : avc: denied { unmount } for pid=4206 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 ---- type=AVC msg=audit(04/08/2024 07:01:31.989:286) : avc: denied { setattr } for pid=4211 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 ---- type=AVC msg=audit(1697778192.874:42856): avc: denied { add_name } for pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1697778192.874:42858): avc: denied { write } for pid=2215300 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 type=AVC msg=audit(1697778195.553:42860): avc: denied { remove_name } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1697778195.553:42861): avc: denied { unlink } for pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(1697778192.874:42859): avc: denied { open } for pid=2215300 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1 ---- which need further information and/or reproducer. There are also these 2 specific bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2276917 (hooks) https://bugzilla.redhat.com/show_bug.cgi?id=2278889 (swtpm)
I have installed clean Fedora 40 on a new bare metal machine, fully updated including selinux-policy-40.18-2.fc40 and created a VM in virt-manager. I have seen no AVCs while installing and booting the installed VM. I'll try the latest selinux-policy on my current Workstation, to see if I can reproduce the remaining AVCs and find more details about them.
Even on my existing F40 Workstation, I no longer see AVCs, at least with a quick check. So at this moment, everything looks fixed. Perhaps we can close this and I'll open a new report if I detect any unfixed AVC in the future.
Kamile, thanks for testing. As behaviour can differ in different environments, it usually is helpful to know what were the changes to defaults, what is specific for the environment, how to reproduce the issue, full auditing denials or even advanced debugging techniques, etc.: https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing Per your suggestion, I will proceed and close this bz, awaiting new reports with the latest policy.