2273960 – lots of AVCs when running a virtual machine

Bug 2273960 - lots of AVCs when running a virtual machine

Summary: lots of AVCs when running a virtual machine

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2270225 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-08 11:09 UTC by Kamil Páral
Modified:	2024-05-07 13:54 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-05-07 13:54:39 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kamil Páral 2024-04-08 11:09:31 UTC

Description of problem:
Since I upgraded to Fedora 40, I see lots of AVC each time I start virt-manager and run a virtual machine.

$ sudo ausearch -i -m AVC -ts boot

type=AVC msg=audit(8.4.2024 12:29:50.385:499) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:53.836:502) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:56.098:505) : avc:  denied  { relabelfrom } for  pid=46146 comm=rpc-virtqemud name=1-f40 dev="tmpfs" ino=3067 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:56.209:511) : avc:  denied  { unmount } for  pid=46166 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:56.212:512) : avc:  denied  { setattr } for  pid=46169 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:56.234:525) : avc:  denied  { setattr } for  pid=46179 comm=rpc-virtqemud name=userfaultfd dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c443,c573 tclass=chr_file permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:56.837:537) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:29:59.838:538) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:35:09.182:542) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:38:36.422:547) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:41:33.643:552) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(8.4.2024 12:43:45.774:562) : avc:  denied  { getattr } for  pid=45891 comm=rpc-virtqemud name=/ dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 



On a fresh F40 installation on a different laptop, I see slightly different errors:

----
type=AVC msg=audit(04/08/2024 07:01:30.865:274) : avc:  denied  { create } for  pid=4176 comm=qemu-img anonclass=[io_uring] scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:30.865:275) : avc:  denied  { map } for  pid=4176 comm=qemu-img path=anon_inode:[io_uring] dev="anon_inodefs" ino=32650 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:30.865:276) : avc:  denied  { read write } for  pid=4176 comm=qemu-img path=anon_inode:[io_uring] dev="anon_inodefs" ino=32650 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:31.832:279) : avc:  denied  { relabelfrom } for  pid=4187 comm=rpc-virtqemud name=1-f40 dev="tmpfs" ino=2800 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:31.985:285) : avc:  denied  { unmount } for  pid=4206 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:31.989:286) : avc:  denied  { setattr } for  pid=4211 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:32.018:300) : avc:  denied  { setattr } for  pid=4223 comm=rpc-virtqemud name=userfaultfd dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c255,c586 tclass=chr_file permissive=1 
----
type=AVC msg=audit(04/08/2024 07:06:22.768:325) : avc:  denied  { relabelfrom } for  pid=4920 comm=rpc-virtqemud name=2-f40 dev="tmpfs" ino=2901 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(04/08/2024 07:06:22.794:329) : avc:  denied  { unmount } for  pid=4930 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(04/08/2024 07:06:22.797:330) : avc:  denied  { setattr } for  pid=4931 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(04/08/2024 07:06:22.836:343) : avc:  denied  { setattr } for  pid=4945 comm=rpc-virtqemud name=userfaultfd dev="tmpfs" ino=7 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c292,c580 tclass=chr_file permissive=1 



Version-Release number of selected component (if applicable):
selinux-policy-40.15-1.fc40.noarch
virt-manager-4.1.0-5.fc40.noarch
libvirt-daemon-10.1.0-1.fc40.x86_64
qemu-kvm-8.2.2-1.fc40.x86_64


How reproducible:
always

Steps to Reproduce:
1. run virt-manager
2. start a VM

Comment 1 Zdenek Pytela 2024-05-04 16:29:12 UTC

*** Bug 2270225 has been marked as a duplicate of this bug. ***

Comment 2 Zdenek Pytela 2024-05-04 16:54:06 UTC

I believe that most of the reported problems will be addressed by the next build or this coprbuild:

https://github.com/fedora-selinux/selinux-policy/pull/2106/checks?check_run_id=24562453131

These remain:
----
type=AVC msg=audit(04/08/2024 07:01:31.832:279) : avc:  denied  { relabelfrom } for  pid=4187 comm=rpc-virtqemud name=1-f40 dev="tmpfs" ino=2800 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:31.985:285) : avc:  denied  { unmount } for  pid=4206 comm=rpc-virtqemud scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1 
----
type=AVC msg=audit(04/08/2024 07:01:31.989:286) : avc:  denied  { setattr } for  pid=4211 comm=rpc-virtqemud name=urandom dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 
----
type=AVC msg=audit(1697778192.874:42856): avc:  denied  { add_name } for  pid=2215300 comm="rpc-virtqemud" name="LCK.._pts_0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1697778192.874:42858): avc:  denied  { write } for  pid=2215300 comm="rpc-virtqemud" path="/run/lock/LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
type=AVC msg=audit(1697778195.553:42860): avc:  denied  { remove_name } for  pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1697778195.553:42861): avc:  denied  { unlink } for  pid=2215300 comm="virtqemud" name="LCK.._pts_0" dev="tmpfs" ino=24434 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
----
type=AVC msg=audit(1697778192.874:42859): avc:  denied  { open } for  pid=2215300 comm="rpc-virtqemud" path="/dev/pts/0" dev="devpts" ino=3 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1
----

which need further information and/or reproducer.

There are also these 2 specific bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2276917 (hooks)
https://bugzilla.redhat.com/show_bug.cgi?id=2278889 (swtpm)

Comment 3 Kamil Páral 2024-05-07 13:02:26 UTC

I have installed clean Fedora 40 on a new bare metal machine, fully updated including selinux-policy-40.18-2.fc40 and created a VM in virt-manager. I have seen no AVCs while installing and booting the installed VM.

I'll try the latest selinux-policy on my current Workstation, to see if I can reproduce the remaining AVCs and find more details about them.

Comment 4 Kamil Páral 2024-05-07 13:13:02 UTC

Even on my existing F40 Workstation, I no longer see AVCs, at least with a quick check. So at this moment, everything looks fixed. Perhaps we can close this and I'll open a new report if I detect any unfixed AVC in the future.

Comment 5 Zdenek Pytela 2024-05-07 13:54:39 UTC

Kamile,

thanks for testing. As behaviour can differ in different environments, it usually is helpful to know what were the changes to defaults, what is specific for the environment, how to reproduce the issue, full auditing denials or even advanced debugging techniques, etc.:
https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

Per your suggestion, I will proceed and close this bz, awaiting new reports with the latest policy.

Note You need to log in before you can comment on or make changes to this bug.