Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:

Severity:
Critical
Epic Link:
SELINUX-3400
Keywords:

Regression

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Story Points:
400
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Link:
https://polarion.engineering.redhat.com/polarion/#/project/RHELVIRT/workitem?id=RHEL-241121
Test Coverage:

Automated

Experience:
Architecture:

s390x

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Create a node device for my s390x ccw device.

Please provide the package NVR for which bug is seen:

libvirt-10.0.0-3.el10+5.s390x

How reproducible:

100%

Steps to reproduce

# cat vfio_ccw_nodedev.xml 
<device>
	<!-- corresponds to css device 0.0.26aa -->
	<parent>css_0_0_0030</parent>
	<capability type="mdev">
		<type id="vfio_ccw-io"/>
		<uuid>8d312cf6-f92a-485c-8db8-ba9299848f46</uuid>
	</capability>
</device>

# # lscss
Device   Subchan.  DevType CU Type Use  PIM PAM POM  CHPIDs           
----------------------------------------------------------------------
...
0.0.4024 0.0.0030  3390/0c 3990/ec      f0  f0  ff   01020506 00000000
...

 # virsh nodedev-create vfio_ccw_nodedev.xml

Expected results

The mdev node device is created succesfully and the corresponding hostdev can be attached to the VM. Libvirt confirms the node device is created returning it's libvirt name.

Actual results

error: Failed to create node device from vfio_ccw_nodedev.xml
error: internal error: Unable to start mediated device: Error: Failed to create mdev 8d312cf6-f92a-485c-8db8-ba9299848f46, type vfio_ccw-io on 0.0.0030

Caused by:
    Permission denied (os error 13)

Additional info

Found an SELinux denial:

type=AVC msg=audit(1717424542.745:5801): avc:  denied  { write } for  pid=84115 comm="mdevctl" name="vfio_ccw-io" dev="sysfs" ino=83242 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1717424542.745:5801): avc:  denied  { write } for  pid=84115 comm="mdevctl" name="create" dev="sysfs" ino=83243 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1717424542.745:5801): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3fff5478550 a2=80241 a3=1b6 items=1 ppid=82427 pid=84115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1717424542.745:5801): cwd="/"

Upstream issue: https://github.com/fedora-selinux/selinux-policy/issues/2134
(reproduces on F40)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

ccw_nodedev_permissive_audit.log
7 kB
2024/06/14 1:10 PM

clones

RHEL-39890 Can't create vfio-ap passthrough setup

Planning

links to

IBM Bug 206807

upstream issue

Assignee:: Zdenek Pytela

Reporter:: Sebastian Mitterle

Contributing Groups:: IBM Confidential Group

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 17 Start watching this issue

Created:: 2024/06/03 2:23 PM

Updated:: 2024/06/25 12:25 PM

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Additional info

Attachments

Attachments

Issue Links

Activity

People

Dates