Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
- dependent-component
- virt-selinux

Fixed in Build:
selinux-policy-38.1.43-1.el9
Regression:
None
Severity:
None
Epic Link:
SELINUX-3400
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
23
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
CY24Q2

Acceptance Criteria:

Hide

The automated test does not trigger SELinux denials.

Show
The automated test does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/130707
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

TCG VM can not use hugepages as "Permission denied"

Please provide the package NVR for which bug is seen:

libvirt-10.0.0-4.el9.x86_64
qemu-kvm-8.2.0-6.el9.x86_64
selinux-policy-38.1.33-1.el9.noarch

How reproducible:

100%

Steps to reproduce

Reserve the hugepage for VM, and set the hugepage for a TCG guest:

 
# echo 2048 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
# virsh freepages 0 2M
2048KiB: 1024
# virsh freepages 1 2M
2048KiB: 1024
# virsh dumpxml rhel
<domain type='qemu'>
  <name>rhel</name>
  <uuid>ec9e43d7-ca2f-4b53-80d0-63a53db664fe</uuid>
  <maxMemory slots='16' unit='KiB'>15242880</maxMemory>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
  <memoryBacking>
    <hugepages>
      <page size='2048' unit='KiB'/>
    </hugepages>
  </memoryBacking>
......

Try to start the vm, it will fail with permission denied

# virsh start rhel 
error: Failed to start domain 'rhel'
error: internal error: process exited while connecting to monitor: 2024-02-28T01:54:57.699312Z qemu-kvm: unable to map backing store for guest RAM: Permission denied

Check the audit log:
type=SYSCALL msg=audit(1709085297.698:1157): arch=c000003e syscall=9 success=no exit=-13 a0=7fc6abe00000 a1=40000000 a2=3 a3=12 items=0 ppid=1 pid=46590 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_tcg_t:s0:c253,c987 key=(null)
type=AVC msg=audit(1709085297.698:1157): avc:  denied  { map } for  pid=46590 comm="qemu-kvm" path=2F6465762F6875676570616765732F6C6962766972742F71656D752F312D7268656C2F71656D755F6261636B5F6D656D2E72616D2D6E6F6465302E57757A7A706E202864656C6574656429 dev="hugetlbfs" ino=104717 scontext=system_u:system_r:svirt_tcg_t:s0:c253,c987 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file permissive=0

Expected results

VM should start successfully or report some error like "TCG guest do not support hugepage".

Actual results

TCG VM can not start with hugepage as "Permission deined"

links to

RHBA-2024:130707 selinux-policy bug fix and enhancement update

TCMS Test Case 617672

Assignee:: Zdenek Pytela

Reporter:: Yalan Zhang

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Created:: 2024/02/28 1:57 AM

Updated:: 2024/11/12 9:39 AM

Resolved:: 2024/11/12 9:39 AM

Target end:: 2024/08/05

Release Date:: 2024/11/12

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates