638859 – Hotplug PF in enforcing mode will fail by selinux

Bug 638859 - Hotplug PF in enforcing mode will fail by selinux

Summary: Hotplug PF in enforcing mode will fail by selinux

Keywords:
Status:	CLOSED DUPLICATE of bug 644276
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	5.6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jiri Denemark
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	638073 (view as bug list)
Depends On:
Blocks:	573940
TreeView+	depends on / blocked

Reported:	2010-09-30 07:31 UTC by Min Zhan
Modified:	2010-11-09 13:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-10-27 14:30:49 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Min Zhan 2010-09-30 07:31:44 UTC

Description of problem:
Hotplug PF make guest not running

Version-Release number of selected component (if applicable):
RHEL5.6-Server-x86_64-kvm
kvm-83-199.el5
kvm-qemu-img-83-199.el5
libvirt-0.8.2-6.el5

How reproducible:
100%

Steps to Reproduce:
1.Have enabled VT-D and start a guest
# virsh start mig
2.On host 
# lspci|grep 82576
03:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
03:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
3.Select one PF device
# lspci -n |grep 03:00.0
03:00.0 0200: 8086:10c9 (rev 01)
4.# virsh nodedev-dettach pci_8086_10c9_0
Device pci_8086_10c9_0 dettached
5.# virsh nodedev-reset pci_8086_10c9_0
Device pci_8086_10c9_0 reset
6.# virsh nodedev-dumpxml pci_8086_10c9_0
<device>
  <name>pci_8086_10c9_0</name>
  <parent>pci_8086_3408</parent>
  <driver>
    <name>pci-stub</name>
  </driver>
  <capability type='pci'>
    <domain>0</domain>
    <bus>3</bus>
    <slot>0</slot>
    <function>0</function>
    <product id='0x10c9'>82576 Gigabit Network Connection</product>
    <vendor id='0x8086'>Intel Corporation</vendor>
  </capability>
</device>
7.# cat pf.xml
<hostdev mode='subsystem' type='pci'>
            <source>
                <address bus='3' slot='0' function='0'/>
            </source>
    </hostdev>
8. In guest
# modprobe acpiphp
9.In host
# virsh attach-device mig pf.xml

Actual results:
guest status turns from running to shut off. And attach-device command is hang

Expected results:
device should be attached

Additional info:

Comment 1 Min Zhan 2010-09-30 07:58:35 UTC

Hotplug VF will display same problem

Comment 2 Jiri Denemark 2010-10-06 12:06:42 UTC

Hotplugging a PCI devices works just fine for me. Could you try with managed pci device (i.e., add managed='yes' attribute to hostdev element in pf.xml)? Also /var/log/libvirt/qemu/mig.log could contain some useful info after you try to attach the device to that guest.

Comment 3 Min Zhan 2010-10-08 04:29:26 UTC

Jiri,

I have tried adding managed pci device, but hotplug is still not ok. Detailed information is below:

# cat pf.xml
<hostdev mode='subsystem' type='pci' managed='yes'>
            <source>
                <address bus='3' slot='0' function='0'/>
            </source>
    </hostdev>

# virsh attach-device mig pf.xml 
error: Failed to attach device from pf.xml
error: operation failed: parsing pci_add reply failed: 

# tail -f /var/log/libvirt/qemu/mig.log 
no output

# tail -f /var/log/messages
Oct  8 00:26:04 dhcp-66-92-158 kernel: qemu-kvm[998]: segfault at 0000000000000000 rip 000000000052a5f3 rsp 00007fff41901200 error 4
Oct  8 00:26:04 dhcp-66-92-158 libvirtd: 00:26:04.173: error : qemuMonitorTextAddPCIHostDevice:1542 : operation failed: parsing pci_add reply failed:  
Oct  8 00:26:04 dhcp-66-92-158 kernel: virbr0: port 3(vnet2) entering disabled state
Oct  8 00:26:04 dhcp-66-92-158 kernel: device vnet2 left promiscuous mode
Oct  8 00:26:04 dhcp-66-92-158 kernel: virbr0: port 3(vnet2) entering disabled state
Oct  8 00:26:04 dhcp-66-92-158 setroubleshoot: SELinux is preventing qemu-kvm (svirt_t) "sys_admin" to <Unknown> (svirt_t). For complete SELinux messages. run sealert -l 2b904fb3-6f98-4114-a711-b7ce0f638f4c
Oct  8 00:26:04 dhcp-66-92-158 last message repeated 4 times
Oct  8 00:26:04 dhcp-66-92-158 libvirtd: 00:26:04.249: warning : SELinuxRestoreSecurityFileLabel:385 : cannot lookup default selinux label for /tmp/images/mig.img 
Oct  8 00:26:04 dhcp-66-92-158 kernel: PCI: Enabling device 0000:03:00.0 (0100 -> 0102)
Oct  8 00:26:04 dhcp-66-92-158 kernel: ACPI: PCI Interrupt 0000:03:00.0[A] -> GSI 28 (level, low) -> IRQ 82
Oct  8 00:26:04 dhcp-66-92-158 kernel: igb 0000:03:00.0: 0 vfs allocated
Oct  8 00:26:04 dhcp-66-92-158 setroubleshoot: SELinux is preventing qemu-kvm (svirt_t) "sys_admin" to <Unknown> (svirt_t). For complete SELinux messages. run sealert -l 2b904fb3-6f98-4114-a711-b7ce0f638f4c
Oct  8 00:26:04 dhcp-66-92-158 setroubleshoot: SELinux is preventing qemu-kvm (svirt_t) "sys_admin" to <Unknown> (svirt_t). For complete SELinux messages. run sealert -l 2b904fb3-6f98-4114-a711-b7ce0f638f4c
Oct  8 00:26:04 dhcp-66-92-158 kernel: igb 0000:03:00.0: Intel(R) Gigabit Ethernet Network Connection
Oct  8 00:26:04 dhcp-66-92-158 kernel: igb 0000:03:00.0: eth1: (PCIe:2.5Gb/s:Width x4) 00:1b:21:39:8b:18
Oct  8 00:26:04 dhcp-66-92-158 kernel: igb 0000:03:00.0: eth1: PBA No: e43709-003
Oct  8 00:26:04 dhcp-66-92-158 kernel: igb 0000:03:00.0: Using MSI-X interrupts. 4 rx queue(s), 1 tx queue(s)
Oct  8 00:26:04 dhcp-66-92-158 libvirtd: 00:26:04.411: warning : SELinuxRestoreSecurityFileLabel:385 : cannot lookup default selinux label for /sys/bus/pci/devices/0000:03:00.0/rom 
Oct  8 00:26:04 dhcp-66-92-158 libvirtd: 00:26:04.411: warning : qemudDomainAttachHostDevice:8001 : Unable to restore host device labelling on hotplug fail

Comment 4 Jiri Denemark 2010-10-08 11:01:23 UTC

*** Bug 638073 has been marked as a duplicate of this bug. ***

Comment 5 Jiri Denemark 2010-10-14 10:30:25 UTC

Hmm, qemu-kvm segfaulted, but that could be the result of the selinux denial. Could you attach details about the denial as suggested in the log messages? That is, the textual description from sealert -l 2b904fb3-6f98-4114-a711-b7ce0f638f4c

Comment 6 Jiri Denemark 2010-10-19 14:57:35 UTC

OK, I reproduced it myself with enforcing mode...

SELinux is preventing qemu-kvm (svirt_t) "sys_admin" to <Unknown> (svirt_t).

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that this access
is required by qemu-kvm and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:svirt_t:s0:c594,c646
Target Context                system_u:system_r:svirt_t:s0:c594,c646
Target Objects                None [ capability ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          virval.brq.redhat.com
Source RPM Packages           kvm-83-205.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-287.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     virval.brq.redhat.com
Platform                      Linux virval.brq.redhat.com 2.6.18-226.el5 #1 SMP
                              Thu Oct 7 20:55:39 EDT 2010 x86_64 x86_64
Alert Count                   7
First Seen                    Tue Oct 19 16:35:43 2010
Last Seen                     Tue Oct 19 16:35:43 2010
Local ID                      3b4dac93-2fb2-44d1-8cf4-0792e9e83f8a
Line Numbers                  

Raw Audit Messages            

host=virval.brq.redhat.com type=AVC msg=audit(1287498943.267:336): avc:  denied  { sys_admin } for  pid=12999 comm="qemu-kvm" capability=21 scontext=system_u:system_r:svirt_t:s0:c594,c646 tcontext=system_u:system_r:svirt_t:s0:c594,c646 tclass=capability

host=virval.brq.redhat.com type=SYSCALL msg=audit(1287498943.267:336): arch=c000003e syscall=17 success=yes exit=0 a0=f a1=7fff361b8c67 a2=1 a3=48 items=0 ppid=1 pid=12999 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c594,c646 key=(null)


This looks pretty similar to bug 644276. Am I right, Daniel (Walsh)?

Comment 7 Jiri Denemark 2010-10-19 14:58:47 UTC

min zhan, could you double check that PCI passthrough works when you switch selinux to permissive mode?

Comment 8 Daniel Walsh 2010-10-19 15:11:06 UTC

Yes this is the same.

Comment 9 Min Zhan 2010-10-20 05:54:55 UTC

Hi Jiri,

I have got 82576 pc this morning and retested as following:

Version-Release number of selected component:
RHEL5.6-Server-x86_64-kvm
libvirt-0.8.2-7.el5
kvm-qemu-img-83-205.el5
kvm-83-205.el5


----------------Hotplug PF----------

- Enforcing mode
1. # getenforce
Enforcing

the same result as above, error message:
error: Failed to attach device from pf.xml
error: operation failed: parsing pci_add reply failed: 

- Permissive mode
1. # setenforce 0
2. # getenforce
Permissive
3. # virsh attach-device rh55 pf.xml 
error: Failed to attach device from pf.xml
error: operation failed: parsing pci_add reply failed: 

also the rh55 guest will be in shutdown status.

So I still have problem in Permissive mode.Please confirm if you can reproduce the bug in Permissive mode. Thanks.

------------VF passthrough-------------------

Still no output when using #lspci |grep 82576 to check assigned VF. Detailed please refer to bug 638875 comment 3 and 4.

Comment 10 Jiri Denemark 2010-10-20 09:37:10 UTC

It appeared the guest was a qemu one instead of kvm:

virsh dumpxml rh55
<domain type='qemu'>

Comment 11 Min Zhan 2010-10-20 09:59:34 UTC

(In reply to comment #10)

It is ok with KVM type guest in Permissive mode with managed=yes

Comment 12 Min Zhan 2010-10-20 10:37:14 UTC

Version-Release number of selected component:
RHEL5.6-Server-x86_64-kvm
libvirt-0.8.2-7.el5
kvm-qemu-img-83-205.el5
kvm-83-205.el5


I have tried in these scenarios about hotplug and passthrough using kvm type guest with managed=yes.

- Permissive mode hotplug PF
- Permissive mode hotplug VF
- Enforcing mode hotplug VF
Works well. Attach device correctly.

- Enforcing mode hotplug PF
Error displays. Refer to comment 3 and comment 6.


- Permissive mode VF passthrough
- Enforcing mode VF passthrough
Works well and VF can be checked in guest.

Comment 13 Jiri Denemark 2010-10-21 09:50:05 UTC

OK, closing this as a dup of bug 644276 since that already tracks this selinux denial when attaching PCI device to a guest.

*** This bug has been marked as a duplicate of bug 644276 ***

Comment 14 Min Zhan 2010-10-22 06:01:03 UTC

Bug 644276 is closed by not a bug because of environment problem. But hotplug PF in enforcing mode still fail because of selinux problem. So I reopen this bug and also modify the bug summary to "Hotplug PF in enforcing mode will fail by selinux".

Comment 15 Jiri Denemark 2010-10-27 14:30:49 UTC


*** This bug has been marked as a duplicate of bug 644276 ***

Note You need to log in before you can comment on or make changes to this bug.