-
Bug
-
Resolution: Duplicate
-
Critical
-
rhel-9.4
-
None
-
Important
-
TestOnly
-
rhel-virt-core
-
ssg_virtualization
-
2
-
False
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
Automated
-
-
x86_64
-
None
What were you trying to do that didn't work?
start guest and receive ave log
Please provide the package NVR for which bug is seen:
qemu-kvm: 8.2.0-11.el9_4
Please noted: 8.2.0-6.el9 didn't trigger this issue.
https://beaker.engineering.redhat.com/recipes/15739809#task175006790
How reproducible: 100%
Steps to reproduce
1.guest xml as below:
<domain type='kvm'> <name>g1</name> <memory unit='KiB'>8388608</memory> <currentMemory unit='KiB'>8388608</currentMemory> <memoryBacking> <hugepages> <page size='1048576' unit='KiB'/> </hugepages> <locked/> <access mode='shared'/> </memoryBacking> <vcpu placement='static'>3</vcpu> <cputune> <vcpupin vcpu='0' cpuset='8'/> <vcpusched vcpus='0' scheduler='fifo' priority='1'/> <vcpupin vcpu='1' cpuset='6'/> <vcpusched vcpus='1' scheduler='fifo' priority='1'/> <vcpupin vcpu='2' cpuset='4'/> <vcpusched vcpus='2' scheduler='fifo' priority='1'/> <emulatorsched scheduler='fifo' priority='1'/> <emulatorpin cpuset='2'/> </cputune> <numatune> <memory mode='strict' nodeset='0'/> <memnode cellid='0' mode='strict' nodeset='0'/> </numatune> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64' machine='q35'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <pmu state='off'/> <vmport state='off'/> <ioapic driver='qemu'/> </features> <cpu mode='host-passthrough' check='none'> <feature policy='require' name='tsc-deadline'/> <numa> <cell id='0' cpus='0-2' memory='8388608' unit='KiB' memAccess='shared'/> </numa> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> <timer name='pit' tickpolicy='delay'/> <timer name='hpet' present='no'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <pm> <suspend-to-mem enabled='no'/> <suspend-to-disk enabled='no'/> </pm> <devices> <emulator>/usr/libexec/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/var/lib/libvirt/images/g1.qcow2'/> <backingStore/> <target dev='vda' bus='virtio'/> <alias name='virtio-disk0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </disk> <controller type='usb' index='0' model='none'> <alias name='usb'/> </controller> <controller type='pci' index='0' model='pcie-root'> <alias name='pcie.0'/> </controller> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='1' port='0x10'/> <alias name='pci.1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </controller> <controller type='pci' index='2' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='2' port='0x11'/> <alias name='pci.2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </controller> <controller type='pci' index='3' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='3' port='0x8'/> <alias name='pci.3'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> </controller> <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='4' port='0x9'/> <alias name='pci.4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </controller> <controller type='pci' index='5' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='5' port='0xa'/> <alias name='pci.5'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </controller> <controller type='pci' index='6' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='6' port='0xb'/> <alias name='pci.6'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </controller> <controller type='sata' index='0'> <alias name='ide'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <interface type='bridge'> <mac address='52:54:00:01:02:03'/> <source bridge='virbr0'/> <model type='virtio'/> </interface> <serial type='pty'> <source path='/dev/pts/1'/> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/1'> <source path='/dev/pts/1'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <input type='mouse' bus='ps2'> <alias name='input0'/> </input> <input type='keyboard' bus='ps2'> <alias name='input1'/> </input> <graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0'> <listen type='address' address='0.0.0.0'/> </graphics> <video> <model type='cirrus' vram='16384' heads='1' primary='yes'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> </video> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/> </memballoon> <iommu model='intel'> <driver intremap='on' caching_mode='on' iotlb='on'/> </iommu> </devices> </domain>
2. start guest and check audit.log
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-38.1.33-1.el9.noarch ---- time->Wed Apr 10 00:41:54 2024 type=PROCTITLE msg=audit(1712724114.196:1463): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D67312C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A22726177222C2266696C65223A222F type=SYSCALL msg=audit(1712724114.196:1463): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55d93da09074 a2=0 a3=0 items=0 ppid=1 pid=14883 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c763,c1020 key=(null) type=AVC msg=audit(1712724114.196:1463): avc: denied { read } for pid=14883 comm="qemu-kvm" name="max_map_count" dev="proc" ino=78601 scontext=system_u:system_r:svirt_t:s0:c763,c1020 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0
3. output from sealert
sealert -a /var/log/audit/audit.log 100% done found 12 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count. ***** Plugin qemu_file_image (98.8 confidence) suggests ******************* If max_map_count is a virtualization target Then you need to change the label on max_map_count' Do # semanage fcontext -a -t virt_image_t 'max_map_count' # restorecon -v 'max_map_count' ***** Plugin catchall (2.13 confidence) suggests ************************** If you believe that qemu-kvm should be allowed read access on the max_map_count file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'qemu-kvm' --raw | audit2allow -M my-qemukvm # semodule -X 300 -i my-qemukvm.pp Additional Information: Source Context system_u:system_r:svirt_t:s0:c763,c1020 Target Context system_u:object_r:sysctl_vm_t:s0 Target Objects max_map_count [ file ] Source qemu-kvm Source Path /usr/libexec/qemu-kvm Port <Unknown> Host <Unknown> Source RPM Packages qemu-kvm-core-8.2.0-11.el9_4.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.33-1.el9.noarch Local Policy RPM selinux-policy-targeted-38.1.33-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dell-per750-66.rhts.eng.pek2.redhat.com Platform Linux dell-per750-66.rhts.eng.pek2.redhat.com 5.14.0-427.11.1.el9_4.x86_64+rt #1 SMP PREEMPT_RT Wed Apr 3 13:03:04 EDT 2024 x86_64 x86_64 Alert Count 1 First Seen 2024-04-10 00:41:54 EDT Last Seen 2024-04-10 00:41:54 EDT Local ID 29c08239-950b-4770-84b0-8e22b676fc8b Raw Audit Messages type=AVC msg=audit(1712724114.196:1463): avc: denied { read } for pid=14883 comm="qemu-kvm" name="max_map_count" dev="proc" ino=78601 scontext=system_u:system_r:svirt_t:s0:c763,c1020 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1712724114.196:1463): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=55d93da09074 a2=0 a3=0 items=0 ppid=1 pid=14883 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c763,c1020 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=qemu GID=qemu EUID=qemu SUID=qemu FSUID=qemu EGID=qemu SGID=qemu FSGID=qemu Hash: qemu-kvm,svirt_t,sysctl_vm_t,file,read
Expected results
secontext of max_map_count and virt_image_t
[root@dell-per750-66 ~]# semanage fcontext -l | grep virt_image_t /var/lib/imagefactory/images(/.*)? all files system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images(/.*)? all files system_u:object_r:virt_image_t:s0 [root@dell-per750-66 ~]# semanage fcontext -l | grep max_map_count [root@dell-per750-66 ~]# ll -Z /proc/sys/vm/max_map_count -rw-r--r--. 1 root root system_u:object_r:sysctl_vm_t:s0 0 Apr 10 00:39 /proc/sys/vm/max_map_count
Actual results
No avc deny log printed.
- depends on
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- links to
