-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0.beta
What were you trying to do that didn't work?
There are AVC denied errors in audit log when hotplugging/unplugging vHBA device to/from vm.
The hotplugging/unplugging can succeed in selinux Enforcing mode, so the funtionality is not affected.
Please provide the package NVR for which bug is seen:
libvirt-10.4.0-1.el10.x86_64
selinux-policy-40.13.3-1.el10.noarch
How reproducible:
100%
Steps to reproduce
- Prepare a host with HBA card
- Set selinux to permissive mode
[root@dell-per730-58 ~]# setenforce 0
- Create vHBA device
[root@dell-per730-58 ~]# cat nodedev.xml <device> <capability type="scsi_host"> <capability type="fc_host"> <wwnn>2001f4e9d4eb02c9</wwnn> <wwpn>1000000000000001</wwpn> </capability> </capability> <parent>scsi_host12</parent> </device> [root@dell-per730-58 ~]# virsh nodedev-create nodedev.xml Node device scsi_host13 created from nodedev.xml
- Start vm
[root@dell-per730-58 ~]# virsh start avocado-vt-vm1 Domain 'avocado-vt-vm1' started
- Set selinux to enforing mode
[root@dell-per730-58 ~]# setenforce 1
- Hotplug the vHBA device to vm as a hostdev.
[root@dell-per730-58 ~]# cat hostdev13.xml <hostdev type="scsi" managed="no" mode="subsystem"> <source> <adapter name="scsi_host13" /> <address bus="0" target="3" unit="0" /> </source> </hostdev> [root@dell-per730-58 ~]# virsh attach-device avocado-vt-vm1 hostdev13.xml Device attached successfully
- Hotunplug the vHBA device from vm
[root@dell-per730-58 ~]# virsh detach-device avocado-vt-vm1 hostdev13.xml Device detached successfully
- Check audit log
[root@dell-per730-58 ~]# ausearch -m avc -ts recent ---- time->Mon Jun 24 04:39:23 2024 type=PROCTITLE msg=audit(1719218363.166:12920): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218363.166:12920): arch=c000003e syscall=257 success=yes exit=20 a0=ffffff9c a1=7f11b006eca0 a2=2 a3=0 items=0 ppid=242047 pid=254960 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218363.166:12920): avc: denied { open } for pid=254960 comm="rpc-virtqemud" path="/dev/sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1719218363.166:12920): avc: denied { read write } for pid=254960 comm="rpc-virtqemud" name="sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jun 24 04:39:23 2024 type=PROCTITLE msg=audit(1719218363.166:12921): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218363.166:12921): arch=c000003e syscall=72 success=yes exit=0 a0=14 a1=6 a2=7f11bfdff300 a3=0 items=0 ppid=242047 pid=254960 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218363.166:12921): avc: denied { lock } for pid=254960 comm="rpc-virtqemud" path="/dev/sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jun 24 04:39:23 2024 type=PROCTITLE msg=audit(1719218363.166:12922): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218363.166:12922): arch=c000003e syscall=188 success=yes exit=0 a0=7f11b006eca0 a1=7f11b000b6e0 a2=7f11b0072980 a3=2a items=0 ppid=242047 pid=254960 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218363.166:12922): avc: denied { setattr } for pid=254960 comm="rpc-virtqemud" name="sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 ---- time->Mon Jun 24 04:39:23 2024 type=PROCTITLE msg=audit(1719218363.166:12923): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218363.166:12923): arch=c000003e syscall=72 success=yes exit=0 a0=14 a1=6 a2=7f11bfdff3c0 a3=7f11b00008e0 items=0 ppid=242047 pid=254960 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218363.166:12923): avc: denied { lock } for pid=254960 comm="rpc-virtqemud" path="/dev/sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c444,c894 tclass=chr_file permissive=1 ---- time->Mon Jun 24 04:39:23 2024 type=PROCTITLE msg=audit(1719218363.168:12924): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218363.168:12924): arch=c000003e syscall=257 success=yes exit=20 a0=ffffff9c a1=7f11b0058cb0 a2=2 a3=0 items=0 ppid=242047 pid=254961 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218363.168:12924): avc: denied { open } for pid=254961 comm="rpc-virtqemud" path="/dev/sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c444,c894 tclass=chr_file permissive=1 type=AVC msg=audit(1719218363.168:12924): avc: denied { read write } for pid=254961 comm="rpc-virtqemud" name="sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c444,c894 tclass=chr_file permissive=1 ---- time->Mon Jun 24 04:39:23 2024 type=PROCTITLE msg=audit(1719218363.168:12925): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218363.168:12925): arch=c000003e syscall=188 success=yes exit=0 a0=7f11b0058cb0 a1=7f11b000b6e0 a2=7f11b006e0b0 a3=5 items=0 ppid=242047 pid=254961 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218363.168:12925): avc: denied { setattr } for pid=254961 comm="rpc-virtqemud" name="sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c444,c894 tclass=chr_file permissive=1 ---- time->Mon Jun 24 04:39:30 2024 type=PROCTITLE msg=audit(1719218370.806:12929): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1719218370.806:12929): arch=c000003e syscall=87 success=yes exit=0 a0=7f11a0003400 a1=7f11a0003400 a2=0 a3=0 items=0 ppid=242047 pid=255021 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1719218370.806:12929): avc: denied { unlink } for pid=255021 comm="rpc-virtqemud" name="sg4" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
Expected results
There are AVC denied errors
Actual results
No AVC denied errors
