Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44633

AVC denied when hotplugging block type disk to vm

XMLWordPrintable

    • sst_security_selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      There are AVC denied errors in audit log when hotplugging vHBA device to/from vm as block type virtual disk

      The hotplugging can succeed in selinux Enforcing mode, so the funtionality is not affected.

      Please provide the package NVR for which bug is seen:

      libvirt-10.4.0-1.el10.x86_64
      selinux-policy-40.13.3-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Prepare a host with HBA card
      2. Set selinux to permissive mode 
        [root@dell-per730-58 ~]# setenforce 0
      3. Create vHBA device 
        [root@dell-per730-58 ~]# cat nodedev.xml 
<device>
	<capability type="scsi_host">
		<capability type="fc_host">
			<wwnn>2001f4e9d4eb02c9</wwnn>
			<wwpn>1000000000000001</wwpn>
                </capability>
        </capability>
        <parent>scsi_host12</parent>
</device>
[root@dell-per730-58 ~]# virsh nodedev-create nodedev.xml 
Node device scsi_host13 created from nodedev.xml
      4. Start vm 
        [root@dell-per730-58 ~]# virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started
      5. Set selinux to enforing mode 
        [root@dell-per730-58 ~]# setenforce 1
      6. Hotplug the vHBA device to vm as virtual disk 
        [root@dell-per730-58 ~]# cat virtual_disk.xml 
<disk type="block" device="disk">
    <source dev="/dev/disk/by-path/pci-0000:06:00.1-fc-0x5005076812163b4a-lun-0" />
    <driver name="qemu" type="raw" />
    <target dev="vdb" bus="virtio" />
</disk>

[root@dell-per730-58 ~]# virsh attach-device avocado-vt-vm1 virtual_disk.xml 
Device attached successfully
      7. Check audit log 
        ----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.458:13132): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.458:13132): arch=c000003e syscall=189 success=yes exit=0 a0=7f11ac004c00 a1=7f11c1dd1197 a2=7f11ac00ed90 a3=1e items=0 ppid=242047 pid=263554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.458:13132): avc:  denied  { relabelfrom } for  pid=263554 comm="rpc-virtqemud" name="pci-0000:06:00.1-fc-0x5005076812163b4a-lun-0" dev="tmpfs" ino=17 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.458:13133): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=PATH msg=audit(1719220056.458:13133): item=1 name=(null) inode=18 dev=00:33 mode=060640 ouid=0 ogid=0 rdev=08:30 obj=system_u:object_r:tmpfs_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1719220056.458:13133): item=0 name=(null) inode=1 dev=00:33 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719220056.458:13133): cwd="/"
type=SYSCALL msg=audit(1719220056.458:13133): arch=c000003e syscall=259 success=yes exit=0 a0=ffffff9c a1=7f11ac001690 a2=61b0 a3=830 items=2 ppid=242047 pid=263554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.458:13133): avc:  denied  { create } for  pid=263554 comm="rpc-virtqemud" name="sdd" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.458:13134): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.458:13134): arch=c000003e syscall=94 success=yes exit=0 a0=7f11ac001690 a1=0 a2=6 a3=830 items=0 ppid=242047 pid=263554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.458:13134): avc:  denied  { setattr } for  pid=263554 comm="rpc-virtqemud" name="sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.458:13135): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.458:13135): arch=c000003e syscall=189 success=yes exit=0 a0=7f11ac001690 a1=7f11c1dd1197 a2=7f11ac00eea0 a3=29 items=0 ppid=242047 pid=263554 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.458:13135): avc:  denied  { relabelfrom } for  pid=263554 comm="rpc-virtqemud" name="sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.460:13136): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.460:13136): arch=c000003e syscall=257 success=yes exit=20 a0=ffffff9c a1=7f11ac00bce0 a2=2 a3=0 items=0 ppid=242047 pid=263555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.460:13136): avc:  denied  { open } for  pid=263555 comm="rpc-virtqemud" path="/dev/sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1719220056.460:13136): avc:  denied  { read write } for  pid=263555 comm="rpc-virtqemud" name="sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.460:13137): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.460:13137): arch=c000003e syscall=72 success=yes exit=0 a0=14 a1=6 a2=7f11bf3ff310 a3=0 items=0 ppid=242047 pid=263555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.460:13137): avc:  denied  { lock } for  pid=263555 comm="rpc-virtqemud" path="/dev/sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.460:13138): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.460:13138): arch=c000003e syscall=188 success=yes exit=0 a0=7f11ac00bce0 a1=7f11ac00cb70 a2=7f11ac00b070 a3=28 items=0 ppid=242047 pid=263555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.460:13138): avc:  denied  { setattr } for  pid=263555 comm="rpc-virtqemud" name="sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.460:13139): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.460:13139): arch=c000003e syscall=72 success=yes exit=0 a0=14 a1=6 a2=7f11bf3ff3d0 a3=7f11ac0008e0 items=0 ppid=242047 pid=263555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.460:13139): avc:  denied  { lock } for  pid=263555 comm="rpc-virtqemud" path="/dev/sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c1,c401 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.461:13140): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.461:13140): arch=c000003e syscall=257 success=yes exit=20 a0=ffffff9c a1=7f11ac000e90 a2=2 a3=0 items=0 ppid=242047 pid=263556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.461:13140): avc:  denied  { open } for  pid=263556 comm="rpc-virtqemud" path="/dev/sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c1,c401 tclass=blk_file permissive=1
type=AVC msg=audit(1719220056.461:13140): avc:  denied  { read write } for  pid=263556 comm="rpc-virtqemud" name="sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c1,c401 tclass=blk_file permissive=1
----
time->Mon Jun 24 05:07:36 2024
type=PROCTITLE msg=audit(1719220056.461:13141): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719220056.461:13141): arch=c000003e syscall=188 success=yes exit=0 a0=7f11ac000e90 a1=7f11ac00cb70 a2=7f11ac003380 a3=5 items=0 ppid=242047 pid=263556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1719220056.461:13141): avc:  denied  { setattr } for  pid=263556 comm="rpc-virtqemud" name="sdd" dev="tmpfs" ino=18 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c1,c401 tclass=blk_file permissive=1

      Expected results

      No AVC denied errors

      Actual results

      There are AVC denied errors when attaching block type disk to vm

            rhn-support-zpytela Zdenek Pytela
            rhn-support-fjin Fangge Jin
            Zdenek Pytela Zdenek Pytela
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: