Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-114412

Get AVC denials when destroy guest with block disk and snapshots

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • None
    • rhel-security-selinux
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Get AVC denials when destroy guest with block disk and snapshots

      Please provide the package NVR for which bug is seen:

      libvirt-11.5.0-4.el10.x86_64
      qemu-kvm-10.0.0-13.el10_1.x86_64

      How reproducible:

      100%

      Steps to reproduce

      1. Start a guest with a block disk.
      # virsh dumpxml avocado-vt-vm1 --xpath //disk
      <disk type="file" device="disk">
        <driver name="qemu" type="qcow2" cache="none" io="native" discard="unmap"/>
        <source file="/var/lib/avocado/data/avocado-vt/images/jeos-27-x86_64.qcow2" index="2"/>
        <backingStore/>
        <target dev="vda" bus="virtio"/>
        <alias name="virtio-disk0"/>
        <address type="pci" domain="0x0000" bus="0x04" slot="0x00" function="0x0"/>
      </disk>
      <disk type="block" device="disk">
        <driver name="qemu" type="raw" cache="none" io="native" discard="unmap"/>
        <source dev="/dev/sdb" index="1"/>
        <backingStore/>
        <target dev="vdb" bus="virtio"/>
        <alias name="virtio-disk1"/>
        <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
      </disk>

      2. Create snapshots.
      # for i in 1 2 3;do virsh snapshot-create-as avocado-vt-vm1 s$i --disk-only --diskspec vda,snapshot=no --diskspec vdb,file=/var/lib/libvirt/images/avocado-vt-vm1.s$i;done
      Domain snapshot s1 created
      Domain snapshot s2 created
      Domain snapshot s3 created

      # ls -Z /var/lib/libvirt/images/
      system_u:object_r:svirt_image_t:s0:c147,c793 avocado-vt-vm1.s1
      system_u:object_r:svirt_image_t:s0:c147,c793 avocado-vt-vm1.s2
      system_u:object_r:svirt_image_t:s0:c147,c793 avocado-vt-vm1.s3

      3. Destroy the guest.

      # virsh destroy avocado-vt-vm1
      Domain 'avocado-vt-vm1' destroyed
      Result: 0 known AVCs and 4 new AVCs got.

      # ls -Z /var/lib/libvirt/images/
      system_u:object_r:svirt_image_t:s0:c147,c793 avocado-vt-vm1.s1
      system_u:object_r:svirt_image_t:s0:c147,c793 avocado-vt-vm1.s2
      system_u:object_r:fixed_disk_device_t:s0 avocado-vt-vm1.s3
       
      4. Check the new AVCs.
      !!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
      Search string:  lock  comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0  tclass=file
      Details: type=AVC msg=audit(1757657264.959:10113): avc:  denied  { lock } for  pid=139708 comm="rpc-virtqemud" path="/var/lib/libvirt/images/avocado-vt-vm1.s3" dev="dm-0" ino=201356738 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=file permissive=1
      !!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
      Search string:  open  comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0  tclass=file
      Details: type=AVC msg=audit(1757657264.960:10114): avc:  denied  { open } for  pid=139709 comm="rpc-virtqemud" path="/var/lib/libvirt/images/avocado-vt-vm1.s3" dev="dm-0" ino=201356738 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=file permissive=1
      !!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
      Search string:  read write  comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0  tclass=file
      Details: type=AVC msg=audit(1757657264.960:10114): avc:  denied  { read write } for  pid=139709 comm="rpc-virtqemud" name="avocado-vt-vm1.s3" dev="dm-0" ino=201356738 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=file permissive=1
      !!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
      Search string:  setattr  comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0  tclass=file
      Details: type=AVC msg=audit(1757657264.960:10115): avc:  denied  { setattr } for  pid=139709 comm="rpc-virtqemud" name="avocado-vt-vm1.s3" dev="dm-0" ino=201356738 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=file permissive=1
      Result: 0 known AVCs and 4 new AVCs got.

      Expected results

      No AVC denials

      Actual results 

      Got AVC denials
       
      Additional info
      I think the label of the active image should be svirt_image_t but not fixed_disk_device_t. If we use the following rule they'll disappear but maybe not expected:
      (allow virtqemud_t fixed_disk_device_t (file (lock)))
      (allow virtqemud_t fixed_disk_device_t (file (open)))
      (allow virtqemud_t fixed_disk_device_t (file (read write)))
      (allow virtqemud_t fixed_disk_device_t (file (setattr)))

              rhn-support-zpytela Zdenek Pytela
              rhn-support-meili Meina Li
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: