Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39890

Can't create vfio-ap passthrough setup

    • selinux-policy-40.13.6-1.el10
    • Yes
    • Critical
    • Regression
    • sst_security_selinux
    • ssg_security
    • 27
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Unspecified Release Note Type - Unknown
    • s390x
    • None

      What were you trying to do that didn't work?

      Create a node device for my s390x crypto device.

      Please provide the package NVR for which bug is seen:

      How reproducible:

      100%

      Steps to reproduce

      1. # cat vfio_ap_nodedev.xml 
        <device>
        	<!-- same parent device for all -->
        	<parent>ap_matrix</parent>
        	<capability type="mdev">
        		<type id="vfio_ap-passthrough"/>
        		<uuid>d36d7d0f-cf3d-4fef-bb9c-ed393954996b</uuid>
        		<attr name="assign_adapter" value="0x01"/>
        		<attr name="assign_domain" value="0x0012"/>
        	</capability>
        </device>
        # lszcrypt -V
        CARD.DOM TYPE  MODE        STATUS     REQUESTS  PENDING HWTYPE QDEPTH FUNCTIONS  DRIVER     
        --------------------------------------------------------------------------------------------
        01       CEX8C CCA-Coproc  online          172        0     14     08 S--D--N-F- cex4card   
        01.0012  CEX8C CCA-Coproc  unassigned        -        -     14     08 S--D--N-F- vfio_ap    
        01.0013  CEX8C CCA-Coproc  unassigned        -        -     14     08 S--D--N-F- vfio_ap    
        
      2.  # virsh nodedev-create vfio_ap_nodedev.xml 
        
        

      Expected results

      The mdev node device is created succesfully and the corresponding hostdev can be attached to the VM. Libvirt confirms the node device is created returning it's libvirt name.

      Actual results

      error: Failed to create node device from vfio_ap_nodedev.xml
      error: internal error: Unable to start mediated device: ap-check: Failed to acquire configuration lock 4
      Error: Script '"/usr/lib/mdevctl/scripts.d/callouts/ap-check"' failed with status '255'

      Additional info

      Found an SELinux denial:

      type=AVC msg=audit(1717423652.633:283): avc:  denied  { write } for  pid=7516 comm="ap-check" name="lock" dev="tmpfs" ino=31 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=0
      type=SYSCALL msg=audit(1717423652.633:283): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=2aa0a068530 a2=800c1 a3=1a4 items=0 ppid=7512 pid=7516 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ap-check" exe="/usr/lib/mdevctl/scripts.d/callouts/ap-check" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      

            rhn-support-zpytela Zdenek Pytela
            smitterl@redhat.com Sebastian Mitterle
            IBM Confidential Group
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            24 Start watching this issue

              Created:
              Updated: