Bug 2299130 - SELinux is preventing qemu-system-x86 from 'open' accesses on the chr_file /dev/sgx_vepc.
Summary: SELinux is preventing qemu-system-x86 from 'open' accesses on the chr_file /d...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: x86_64
OS: Unspecified
medium
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:318db2fa54c46b71e58cb7955b8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-21 19:41 UTC by Sudesh
Modified: 2024-10-16 07:09 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-10-16 07:09:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: description (2.28 KB, text/plain)
2024-07-21 19:41 UTC, Sudesh 		no flags Details
File: os_info (653 bytes, text/plain)
2024-07-21 19:41 UTC, Sudesh 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2274 0 None open Support SGX devices 2024-07-30 09:12:22 UTC

Description Sudesh 2024-07-21 19:41:51 UTC 
Description of problem:
upgrade from fedora 38 to 40
SELinux is preventing qemu-system-x86 from 'open' accesses on the chr_file /dev/sgx_vepc.

*****  Plugin device (91.4 confidence) suggests   ****************************

If you want to allow qemu-system-x86 to have open access on the sgx_vepc chr_file
Then you need to change the label on /dev/sgx_vepc to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '/dev/sgx_vepc'
# restorecon -v '/dev/sgx_vepc'

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that qemu-system-x86 should be allowed open access on the sgx_vepc chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qemu-system-x86' --raw | audit2allow -M my-qemusystemx86
# semodule -X 300 -i my-qemusystemx86.pp

Additional Information:
Source Context                system_u:system_r:virtqemud_t:s0
Target Context                system_u:object_r:device_t:s0
Target Objects                /dev/sgx_vepc [ chr_file ]
Source                        qemu-system-x86
Source Path                   qemu-system-x86
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-40.24-1.fc40.noarch
Local Policy RPM              selinux-policy-targeted-40.24-1.fc40.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 6.9.9-200.fc40.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Jul 11 19:29:01 UTC 2024
                              x86_64
Alert Count                   1
First Seen                    2024-07-21 20:26:35 CEST
Last Seen                     2024-07-21 20:26:35 CEST
Local ID                      8b822cb1-4e32-402f-89d4-dc5488bb12f5

Raw Audit Messages
type=AVC msg=audit(1721586395.113:208): avc:  denied  { open } for  pid=1824 comm="qemu-system-x86" path="/dev/sgx_vepc" dev="devtmpfs" ino=85 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1


Hash: qemu-system-x86,virtqemud_t,device_t,chr_file,open

Version-Release number of selected component:
selinux-policy-targeted-40.24-1.fc40.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing qemu-system-x86 from 'open' accesses on the chr_file /dev/sgx_vepc.
package:        selinux-policy-targeted-40.24-1.fc40.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.9.9-200.fc40.x86_64
comment:        upgrade from fedora 38 to 40
component:      selinux-policy
Comment 1 Sudesh 2024-07-21 19:41:53 UTC 
Created attachment 2040069 [details]
File: description
Comment 2 Sudesh 2024-07-21 19:41:55 UTC 
Created attachment 2040070 [details]
File: os_info
Comment 3 Zdenek Pytela 2024-07-22 12:37:18 UTC 
Juraj,

There seem to be some "new" (at least new to selinux-policy) virt-related devices:

/dev/sgx_enclave
/dev/sgx_provision
/dev/sgx_vepc

What would you suggest as SELinux types (or type if it can be shared) for them?

arch/x86/kvm/Kconfig
114 config X86_SGX_KVM
115         bool "Software Guard eXtensions (SGX) Virtualization"
116         depends on X86_SGX && KVM_INTEL
117         help
118 
119           Enables KVM guests to create SGX enclaves.
120 
121           This includes support to expose "raw" unreclaimable enclave memory to
122           guests via a device node, e.g. /dev/sgx_vepc.


https://www.kernel.org/doc/html/latest/arch/x86/sgx.html
https://lkml.iu.edu/hypermail/linux/kernel/2103.0/00223.html
Comment 4 Juraj Marcin 2024-07-23 15:47:00 UTC 
Hi Zdenek,

from what I have found, I think these devices should get new labels for each device.

/dev/sgx_enclave can be used by any application (not only virt-related) to create and interact with an SGX enclave through SGX kernel driver. Each enclave is contained in an EPC.

/dev/sgx_vepc can be used by a hypervisor (for example qemu) to create an EPC (without creating an enclave in it) that can be passed to a guest, so the applications running in the guest system can create SGX enclaves.

As of /dev/sgx_provision, this device is used to set PROVISION_KEY flag on the enclave by calling an ioctl() on the enclave with fd to /dev/sgx_provision as another argument. QEMU does open this file, but I am not sure if hypervisors are the only users nor what is the exact use of this flag.
Comment 5 Zdenek Pytela 2024-07-30 09:12:23 UTC 
Thank you for the detailed description.
Comment 6 Zdenek Pytela 2024-07-30 10:49:26 UTC 
Sudesh,

Will you be able to test a copr build? I am afraid we don't have a system with the support at hand and there will be some follow-up permissions needed to add.

https://github.com/fedora-selinux/selinux-policy/pull/2274
Checks -> rawhide -> dashboard

It would be even better with full auditing enabled, and permissive mode helps to gather all denials:

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing

setenforce 0
Comment 7 Sudesh 2024-08-07 21:45:22 UTC 
I managed to change the audit mode, but unfortunately no clue how to apply this git repo to my system.

Tried to apply the changes directly with chcon, but that didn't work.

Also I noticed I only have two of the 3 listed devices:

# ls -Z /dev/sgx*
system_u:object_r:device_t:s0 /dev/sgx_provision
system_u:object_r:device_t:s0 /dev/sgx_vepc

# chcon system_u:object_r:sgx_provision_device_t:s0 /dev/sgx_provision 
chcon: invalid context: ‘system_u:object_r:sgx_provision_device_t:s0’: Invalid argument
Comment 8 Zdenek Pytela 2024-08-08 07:04:41 UTC 
No worries, it is now in rawhide and will be in F40 soon.
Note You need to log in before you can comment on or make changes to this bug.