-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0.beta
-
Yes
-
Critical
-
Regression
-
rhel-sst-security-selinux
-
ssg_security
-
3
-
False
-
-
Yes
-
None
-
-
None
-
Automated
-
Known Issue
-
When using the SELinux Enforcing mode, DASD passthrough won't work.
-
Proposed
-
-
s390x
-
None
What were you trying to do that didn't work?
Create a node device for my s390x ccw device.
Please provide the package NVR for which bug is seen:
libvirt-10.0.0-3.el10+5.s390x
How reproducible:
100%
Steps to reproduce
# cat vfio_ccw_nodedev.xml <device> <!-- corresponds to css device 0.0.26aa --> <parent>css_0_0_0030</parent> <capability type="mdev"> <type id="vfio_ccw-io"/> <uuid>8d312cf6-f92a-485c-8db8-ba9299848f46</uuid> </capability> </device> # # lscss Device Subchan. DevType CU Type Use PIM PAM POM CHPIDs ---------------------------------------------------------------------- ... 0.0.4024 0.0.0030 3390/0c 3990/ec f0 f0 ff 01020506 00000000 ...
# virsh nodedev-create vfio_ccw_nodedev.xml
Expected results
The mdev node device is created succesfully and the corresponding hostdev can be attached to the VM. Libvirt confirms the node device is created returning it's libvirt name.
Actual results
error: Failed to create node device from vfio_ccw_nodedev.xml error: internal error: Unable to start mediated device: Error: Failed to create mdev 8d312cf6-f92a-485c-8db8-ba9299848f46, type vfio_ccw-io on 0.0.0030 Caused by: Permission denied (os error 13)
Additional info
Found an SELinux denial:
type=AVC msg=audit(1717424542.745:5801): avc: denied { write } for pid=84115 comm="mdevctl" name="vfio_ccw-io" dev="sysfs" ino=83242 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1717424542.745:5801): avc: denied { write } for pid=84115 comm="mdevctl" name="create" dev="sysfs" ino=83243 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1717424542.745:5801): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3fff5478550 a2=80241 a3=1b6 items=1 ppid=82427 pid=84115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=CWD msg=audit(1717424542.745:5801): cwd="/"
Upstream issue: https://github.com/fedora-selinux/selinux-policy/issues/2134
(reproduces on F40)
- clones
-
RHEL-39890 Can't create vfio-ap passthrough setup
- Release Pending
- is related to
-
RHEL-54302 Can't use vfio-ap devices with selinux enabled
- Planning
- links to