-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0.beta
-
selinux-policy-40.13.6-1.el10
-
Yes
-
Critical
-
Regression
-
rhel-sst-security-selinux
-
ssg_security
-
27
-
None
-
False
-
-
No
-
None
-
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
-
s390x
-
None
What were you trying to do that didn't work?
Create a node device for my s390x crypto device.
Please provide the package NVR for which bug is seen:
How reproducible:
100%
Steps to reproduce
# cat vfio_ap_nodedev.xml <device> <!-- same parent device for all --> <parent>ap_matrix</parent> <capability type="mdev"> <type id="vfio_ap-passthrough"/> <uuid>d36d7d0f-cf3d-4fef-bb9c-ed393954996b</uuid> <attr name="assign_adapter" value="0x01"/> <attr name="assign_domain" value="0x0012"/> </capability> </device> # lszcrypt -V CARD.DOM TYPE MODE STATUS REQUESTS PENDING HWTYPE QDEPTH FUNCTIONS DRIVER -------------------------------------------------------------------------------------------- 01 CEX8C CCA-Coproc online 172 0 14 08 S--D--N-F- cex4card 01.0012 CEX8C CCA-Coproc unassigned - - 14 08 S--D--N-F- vfio_ap 01.0013 CEX8C CCA-Coproc unassigned - - 14 08 S--D--N-F- vfio_ap
# virsh nodedev-create vfio_ap_nodedev.xml
Expected results
The mdev node device is created succesfully and the corresponding hostdev can be attached to the VM. Libvirt confirms the node device is created returning it's libvirt name.
Actual results
error: Failed to create node device from vfio_ap_nodedev.xml error: internal error: Unable to start mediated device: ap-check: Failed to acquire configuration lock 4 Error: Script '"/usr/lib/mdevctl/scripts.d/callouts/ap-check"' failed with status '255'
Additional info
Found an SELinux denial:
type=AVC msg=audit(1717423652.633:283): avc: denied { write } for pid=7516 comm="ap-check" name="lock" dev="tmpfs" ino=31 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1717423652.633:283): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=2aa0a068530 a2=800c1 a3=1a4 items=0 ppid=7512 pid=7516 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ap-check" exe="/usr/lib/mdevctl/scripts.d/callouts/ap-check" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
- is blocked by
-
RHEL-49567 SELinux prevents systemd-machined from creating /run/systemd/machine/io.systemd.Machine directory and socket
- Release Pending
- is cloned by
-
RHEL-39893 Can't create vfio-ccw passthrough setup
- Planning
- relates to
-
RHEL-54302 Can't use vfio-ap devices with selinux enabled
- Planning
- links to
-
RHBA-2024:133202 selinux-policy bug fix and enhancement update