Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.1
Component/s: selinux-policy
Labels:
- selinux_triaged
- virt-selinux

Regression:
No
Severity:
None
Epic Link:
SELINUX-4342

AssignedTeam:
rhel-security-selinux

Story Points:
3
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:

Automated

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

There is AVC deny errors when libvirt-guests try to start the vm

Please provide the package NVR for which bug is seen:

libvirt-11.5.0-4.el10.x86_64
selinux-policy-42.1.4-1.el10.noarch

How reproducible:

100%

Steps to reproduce

1. Prepare a running vm, and configure the libvirt-guests service as below:

# virsh start rhel
Domain 'rhel' started

# virsh list --all
 Id   Name         State
-----------------------------
 1    rhel         running

# cat /etc/sysconfig/libvirt-guests
ON_BOOT="start"
ON_SHUTDOWN="suspend"

# systemctl start libvirt-guests
# ausearch -m avc
<no matches>

2. Restart libvirt-guests service, check the guest status and the audit log:

# systemctl restart libvirt-guests
# virsh list --all
 Id   Name         State
-----------------------------
 2    rhel         running

# ausearch -m avc
----
time->Mon Aug 11 06:22:01 2025
type=PROCTITLE msg=audit(1754907721.748:1101): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=PATH msg=audit(1754907721.748:1101): item=0 name="/proc/31615/stat" inode=95829 dev=00:16 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:unconfined_service_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1754907721.748:1101): cwd="/"
type=SYSCALL msg=audit(1754907721.748:1101): arch=c000003e syscall=257 success=yes exit=20 a0=ffffff9c a1=7f6218000b90 a2=0 a3=0 items=1 ppid=1 pid=31479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1754907721.748:1101): avc:  denied  { open } for  pid=31479 comm="rpc-virtqemud" path="/proc/31615/stat" dev="proc" ino=95829 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
type=AVC msg=audit(1754907721.748:1101): avc:  denied  { read } for  pid=31479 comm="rpc-virtqemud" name="stat" dev="proc" ino=95829 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
type=AVC msg=audit(1754907721.748:1101): avc:  denied  { search } for  pid=31479 comm="rpc-virtqemud" name="31615" dev="proc" ino=89703 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1
----
time->Mon Aug 11 06:22:02 2025
type=PROCTITLE msg=audit(1754907722.976:1108): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=PATH msg=audit(1754907722.976:1108): item=0 name="/proc/31689/stat" inode=26573 dev=00:16 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:system_r:unconfined_service_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1754907722.976:1108): cwd="/"
type=SYSCALL msg=audit(1754907722.976:1108): arch=c000003e syscall=257 success=yes exit=19 a0=ffffff9c a1=55ee81df6d30 a2=0 a3=0 items=1 ppid=1 pid=31479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtqe" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1754907722.976:1108): avc:  denied  { open } for  pid=31479 comm="prio-rpc-virtqe" path="/proc/31689/stat" dev="proc" ino=26573 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
type=AVC msg=audit(1754907722.976:1108): avc:  denied  { read } for  pid=31479 comm="prio-rpc-virtqe" name="stat" dev="proc" ino=26573 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=1
type=AVC msg=audit(1754907722.976:1108): avc:  denied  { search } for  pid=31479 comm="prio-rpc-virtqe" name="31689" dev="proc" ino=110622 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1

Expected results

There should not be AVC deny errors

Actual results

There is AVC deny errors when libvirt-guests try to start the vm

links to

TCMS Test Case 239083

Assignee:: Zdenek Pytela

Reporter:: Yalan Zhang

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/08/12 3:17 AM

Updated:: 2025/10/08 11:43 AM

Stale Date:: 2026/08/17

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide