Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44620

AVC denied when creating/destroying vHBA device by "virsh nodedev-create/destroy"

XMLWordPrintable

    • sst_security_selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Try to create/destroy vHBA device by "virsh nodedev-create/destroy", it failed with permission denied error.

      Please provide the package NVR for which bug is seen:

      libvirt-10.4.0-1.el10.x86_64
      selinux-policy-40.13.3-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Prepare a host with HBA card
      2. Set selinux to enforing mode 
        [root@dell-per730-58 ~]# setenforce 1
      3. Create vHBA device 
        [root@dell-per730-58 ~]# cat nodedev.xml 
<device>
	<capability type="scsi_host">
		<capability type="fc_host">
			<wwnn>2001f4e9d4eb02c9</wwnn>
			<wwpn>1000000000000001</wwpn>
                </capability>
        </capability>
        <parent>scsi_host12</parent>
</device>
[root@dell-per730-58 ~]# virsh nodedev-create nodedev.xml 
error: Failed to create node device from nodedev.xml
error: Write of '1000000000000001:2001f4e9d4eb02c9' to '/sys/class/fc_host/host12/vport_create' during vport create/delete failed: Permission denied
      4. Check audit log: 
        type=AVC msg=audit(1719197955.240:6181): avc:  denied  { write } for  pid=48811 comm="rpc-virtnodedev" name="vport_create" dev="sysfs" ino=45743 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
      5. Set selinux to Permissive mode 
        # setenforce 0
      6. Create vHBA device: 
        [root@dell-per730-58 ~]# virsh nodedev-create nodedev.xml 
Node device scsi_host13 created from nodedev.xml
      7. Check audit log: 
        [root@dell-per730-58 ~]# ausearch -m avc
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.400:10670): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719200208.400:10670): arch=c000003e syscall=257 success=yes exit=21 a0=ffffff9c a1=7f2114000e20 a2=201 a3=0 items=0 ppid=1 pid=131063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.400:10670): avc:  denied  { write } for  pid=131063 comm="rpc-virtnodedev" name="vport_create" dev="sysfs" ino=45743 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.405:10671): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719200208.405:10671): arch=c000003e syscall=21 success=yes exit=0 a0=7f2114001038 a1=1 a2=9 a3=7f21140008e0 items=0 ppid=1 pid=131063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.405:10671): avc:  denied  { execute } for  pid=131063 comm="rpc-virtnodedev" name="udevadm" dev="dm-0" ino=67116487 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.407:10672): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=PATH msg=audit(1719200208.407:10672): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=67110910 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719200208.407:10672): cwd="/"
type=EXECVE msg=audit(1719200208.407:10672): argc=2 a0="/usr/sbin/udevadm" a1="settle"
type=SYSCALL msg=audit(1719200208.407:10672): arch=c000003e syscall=59 success=yes exit=0 a0=7f2114001e90 a1=7f2114001eb0 a2=7ffdfbb5ef78 a3=7f21140008e0 items=1 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.407:10672): avc:  denied  { map } for  pid=131581 comm="udevadm" path="/usr/bin/udevadm" dev="dm-0" ino=67116487 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719200208.407:10672): avc:  denied  { execute_no_trans } for  pid=131581 comm="rpc-virtnodedev" path="/usr/bin/udevadm" dev="dm-0" ino=67116487 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.412:10673): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719200208.412:10673): arch=c000003e syscall=9 success=yes exit=140190281019392 a0=0 a1=1000 a2=1 a3=1 items=0 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.412:10673): avc:  denied  { map } for  pid=131581 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.412:10674): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=PATH msg=audit(1719200208.412:10674): item=0 name="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" inode=67116214 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:file_context_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719200208.412:10674): cwd="/"
type=SYSCALL msg=audit(1719200208.412:10674): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=557f3576bbb0 a2=80000 a3=0 items=1 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.412:10674): avc:  denied  { open } for  pid=131581 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="dm-0" ino=67116214 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719200208.412:10674): avc:  denied  { read } for  pid=131581 comm="udevadm" name="file_contexts.subs_dist" dev="dm-0" ino=67116214 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719200208.412:10674): avc:  denied  { search } for  pid=131581 comm="udevadm" name="files" dev="dm-0" ino=67116207 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1719200208.412:10674): avc:  denied  { search } for  pid=131581 comm="udevadm" name="contexts" dev="dm-0" ino=7538 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.412:10675): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719200208.412:10675): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffd1eae60c0 a2=8 a3=0 items=0 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.412:10675): avc:  denied  { getattr } for  pid=131581 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="dm-0" ino=67116214 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.412:10676): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719200208.412:10676): arch=c000003e syscall=9 success=yes exit=140190264729600 a0=0 a1=90116 a2=1 a3=2 items=0 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.412:10676): avc:  denied  { map } for  pid=131581 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="dm-0" ino=69417039 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.414:10677): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=PATH msg=audit(1719200208.414:10677): item=0 name="/proc/1/root" inode=128 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719200208.414:10677): cwd="/"
type=SYSCALL msg=audit(1719200208.414:10677): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7f8097d0d549 a2=7ffd1eae76e0 a3=0 items=1 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.414:10677): avc:  denied  { read } for  pid=131581 comm="udevadm" name="root" dev="proc" ino=7189 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.414:10678): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719200208.414:10678): arch=c000003e syscall=137 success=yes exit=0 a0=7f8097d042e4 a1=7ffd1eae7610 a2=7f8096f74320 a3=0 items=0 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.414:10678): avc:  denied  { getattr } for  pid=131581 comm="udevadm" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.414:10679): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719200208.414:10679): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=557f3576de20 a2=14 a3=b items=0 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.414:10679): avc:  denied  { connectto } for  pid=131581 comm="udevadm" path="/run/udev/control" scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1719200208.414:10679): avc:  denied  { write } for  pid=131581 comm="udevadm" name="control" dev="tmpfs" ino=778 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=sock_file permissive=1
----
time->Sun Jun 23 23:36:48 2024
type=PROCTITLE msg=audit(1719200208.415:10680): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719200208.415:10680): arch=c000003e syscall=254 success=yes exit=1 a0=5 a1=7ffd1eae75f0 a2=200 a3=0 items=0 ppid=131063 pid=131581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719200208.415:10680): avc:  denied  { watch } for  pid=131581 comm="udevadm" path="/run/udev" dev="tmpfs" ino=56 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
      8. Destroy vHBA device: 
        # virsh nodedev-destroy scsi_host13
      9. Check audit log: 
        ----
time->Mon Jun 24 01:16:34 2024
type=PROCTITLE msg=audit(1719206194.010:10818): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719206194.010:10818): arch=c000003e syscall=257 success=yes exit=21 a0=ffffff9c a1=55fecce36380 a2=201 a3=0 items=0 ppid=1 pid=158703 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719206194.010:10818): avc:  denied  { write } for  pid=158703 comm="prio-rpc-virtno" name="vport_delete" dev="sysfs" ino=45744 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

      Expected results

      No avc denied error

      Actual results

            rhn-support-zpytela Zdenek Pytela
            rhn-support-fjin Fangge Jin
            Zdenek Pytela Zdenek Pytela
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: