Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32296

selinux prevents qemu-kvm from read access to max_map_count

XMLWordPrintable

    • selinux-policy-38.1.37-1.el9
    • None
    • None
    • ZStream
    • rhel-sst-security-selinux
    • ssg_security
    • 11
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Approved Blocker
    • Hide

      The qemu-kvm processes do not trigger any SELinux denials in enforcing mode when the Steps to Reproduce are followed.

      Show
      The qemu-kvm processes do not trigger any SELinux denials in enforcing mode when the Steps to Reproduce are followed.
    • Pass
    • Automated
    • Unspecified Release Note Type - Unknown
    • All
    • None

      Description:
      When I tried to start the guest, it will report the avc denied error

      Version-Release number of selected component (if applicable):
      selinux-policy-38.1.35-2.el9_4.noarch
      libvirt-10.0.0-6.el9_4.x86_64
      qemu-kvm-8.2.0-11.el9_4.x86_64

      How reproducible:
      100%

      Steps to Reproduce:
      1. define a guest

      #  virt-install --connect qemu:///system -n avocado-vt-vm1 --hvm --accelerate -r 2048 --vcpus=2 --os-variant rhel9.4 --disk path=/var/lib/libvirt/images/RHEL-9.5-x86_64-latest-ovmf.qcow2,bus=virtio,format=qcow2 --network bridge=virbr0,model=virtio --import --noreboot --noautoconsole --serial pty --memballoon model=virtio --graphics vnc --video cirrus --boot uefi

Starting install...
Creating domain...                                                                                                                                                     |         00:00:00    
Domain creation completed.
You can restart your domain by running:
  virsh --connect qemu:///system start avocado-vt-vm1

      2. Start the guest

      # virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started

      3. Check guest status

      # virsh domstate avocado-vt-vm1 --reason
running (booted)

      (Guest can be started successfully)

      4. Check the audit log in host

      # ausearch -m avc
----
time->Tue Apr  9 20:23:09 2024
type=PROCTITLE msg=audit(1712708589.510:788): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D61766F6361646F2D76742D766D312C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261
type=SYSCALL msg=audit(1712708589.510:788): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5627a280a074 a2=0 a3=0 items=0 ppid=1 pid=21445 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c572,c618 key=(null)
type=AVC msg=audit(1712708589.510:788): avc:  denied  { read } for  pid=21445 comm="qemu-kvm" name="max_map_count" dev="proc" ino=52988 scontext=system_u:system_r:svirt_t:s0:c572,c618 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0

      Expected result:
      Should not report avc denied error

              rhn-support-zpytela Zdenek Pytela
              rhn-support-lizhu Lili Zhu
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              1 Vote for this issue
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: