Version: virt-install-4.1.0-9.fc42.noarch libvirt-10.10.0-1.fc42.x86_64 qemu-9.2.0-0.3.rc1.fc42.x86_64 selinux-policy-41.26-1.fc42.noarch Step: Create a domain by virt-install: # virt-install --import --disk /var/lib/libvirt/images/rhel-test.qcow2 -r 4000 --machine q35 -n rhel-test --osinfo generic Get a SELinux denial: type=AVC msg=audit(1733476544.855:6456): avc: denied { read } for pid=369525 comm="qemu-system-x86" name="possible" dev="sysfs" ino=4677 scontext=system_u:system_r:svirt_t:s0:c199,c344 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 It turns out the file ino=4677 is /sys/devices/system/cpu/possible: # fd possible /sys -x ls -i 4124 /sys/devices/system/node/possible 4677 /sys/devices/system/cpu/possible Addtional info: Not reproduced on RHEL-10: virt-install-5.0.0-1.el10.noarch libvirt-10.10.0-1.el10.x86_64 qemu-kvm-9.1.0-7.el10.x86_64 selinux-policy-40.13.16-1.el10.noarch Reproducible: Always Expected Results: No AVC
Cannot reproduce it on: libvirt-10.10.0-1.fc42.x86_64 qemu-9.2.0-0.3.rc1.fc42.x86_64 selinux-policy-41.26-2.fc42.noarch virt-install-5.0.0-1.fc42.noarch
The same ruleset is now in F42, RHEL9, RHEL10: f42# sesearch -A -s svirt_t -t sysfs_t -c file -p read allow virt_domain sysfs_t:file { getattr ioctl lock open read }; [ virt_use_usb ]:True f42# getsebool virt_use_usb virt_use_usb --> on Perhaps the boolean value has changed? Needs to be investigated anyway as this use case does not seem to be related to usb devices.
yes (In reply to Zdenek Pytela from comment #2) > The same ruleset is now in F42, RHEL9, RHEL10: > > f42# sesearch -A -s svirt_t -t sysfs_t -c file -p read > allow virt_domain sysfs_t:file { getattr ioctl lock open read }; [ > virt_use_usb ]:True > f42# getsebool virt_use_usb > virt_use_usb --> on > > Perhaps the boolean value has changed? > > Needs to be investigated anyway as this use case does not seem to be related > to usb devices. Yes. You are right. (avc_detector)> setsebool virt_use_usb 0 (avc_detector)> virsh start rhel Domain 'rhel' started Result: 0 known AVCs and 1 new AVCs got. ============================================================ See the logs at /tmp/tmp.4tccrh029m (avc_detector)> cat /tmp/tmp.4tccrh029m !!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!! Search string: read comm="qemu-system-x86" scontext=system_u:system_r:svirt_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file Details: type=AVC msg=audit(1733885907.601:1162): avc: denied { read } for pid=57620 comm="qemu-system-x86" name="possible" dev="sysfs" ino=4680 scontext=system_u:system_r:svirt_t:s0:c283,c579 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 Result: 0 known AVCs and 1 new AVCs got. ============================================================ (avc_detector)> virsh destroy rhel Domain 'rhel' destroyed (avc_detector)> setsebool virt_use_usb 1 (avc_detector)> virsh start rhel Domain 'rhel' started Here, avc_detector is a tool that helps report the AVC denials happening during each cmd: https://gist.github.com/qiankehan/a8b43e02aa7aaad7c02862cc5564b811
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle. Changing version to 42.