Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39893

Can't create vfio-ccw passthrough setup

    • Yes
    • Critical
    • Regression
    • sst_security_selinux
    • ssg_security
    • 3
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Known Issue
    • When using the SELinux Enforcing mode, DASD passthrough won't work.
    • Proposed
    • s390x
    • None

      What were you trying to do that didn't work?

      Create a node device for my s390x ccw device.

      Please provide the package NVR for which bug is seen:

      libvirt-10.0.0-3.el10+5.s390x

      How reproducible:

      100%

      Steps to reproduce

      1. # cat vfio_ccw_nodedev.xml 
        <device>
        	<!-- corresponds to css device 0.0.26aa -->
        	<parent>css_0_0_0030</parent>
        	<capability type="mdev">
        		<type id="vfio_ccw-io"/>
        		<uuid>8d312cf6-f92a-485c-8db8-ba9299848f46</uuid>
        	</capability>
        </device>
        
        # # lscss
        Device   Subchan.  DevType CU Type Use  PIM PAM POM  CHPIDs           
        ----------------------------------------------------------------------
        ...
        0.0.4024 0.0.0030  3390/0c 3990/ec      f0  f0  ff   01020506 00000000
        ...
        
      2.  # virsh nodedev-create vfio_ccw_nodedev.xml 
        
        

      Expected results

      The mdev node device is created succesfully and the corresponding hostdev can be attached to the VM. Libvirt confirms the node device is created returning it's libvirt name.

      Actual results

      error: Failed to create node device from vfio_ccw_nodedev.xml
      error: internal error: Unable to start mediated device: Error: Failed to create mdev 8d312cf6-f92a-485c-8db8-ba9299848f46, type vfio_ccw-io on 0.0.0030
      
      Caused by:
          Permission denied (os error 13)
      

      Additional info

      Found an SELinux denial:

      type=AVC msg=audit(1717424542.745:5801): avc:  denied  { write } for  pid=84115 comm="mdevctl" name="vfio_ccw-io" dev="sysfs" ino=83242 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
      type=AVC msg=audit(1717424542.745:5801): avc:  denied  { write } for  pid=84115 comm="mdevctl" name="create" dev="sysfs" ino=83243 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
      type=SYSCALL msg=audit(1717424542.745:5801): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3fff5478550 a2=80241 a3=1b6 items=1 ppid=82427 pid=84115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=CWD msg=audit(1717424542.745:5801): cwd="/"
      

      Upstream issue: https://github.com/fedora-selinux/selinux-policy/issues/2134
      (reproduces on F40)

            rhn-support-zpytela Zdenek Pytela
            smitterl@redhat.com Sebastian Mitterle
            Zdenek Pytela
            IBM Confidential Group
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated: