Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44637

AVC denied when creating scsi type storage pool

XMLWordPrintable

    • sst_security_selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Create scsi type storage pool, there are avc denied erros in audit log while pool creating succeeds.
      Functionality is not affected.

      Please provide the package NVR for which bug is seen:

      libvirt-10.4.0-1.el10.x86_64
      selinux-policy-40.13.3-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Prepare a host with HBA card
      2. Set selinux to enforcing mode 
        # setenforce 1
      3. Create scsi type storage pool based on the HBA card: 
        <pool type='scsi'>
  <name>virt-test-pool</name>
  <uuid>7c33c2d0-9383-428a-b88a-61b1d5cf255f</uuid>
  <capacity unit='bytes'>0</capacity>
  <allocation unit='bytes'>0</allocation>
  <available unit='bytes'>0</available>
  <source>
    <adapter type='fc_host' managed='yes' wwnn='2001f4e9d4eb02c9' wwpn='1000000000000001'/>
  </source>
  <target>
    <path>/dev/disk/by-path</path>
  </target>
</pool>

[root@dell-per730-58 ~]# virsh pool-create virt-test-pool.xml 
Pool virt-test-pool created from virt-test-pool.xml
      4. Check audit log 
        [root@dell-per730-58 ~]# ausearch -m avc -ts recent
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.381:13978): proctitle=2F7573722F7362696E2F7669727473746F7261676564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719223863.381:13978): arch=c000003e syscall=257 success=yes exit=19 a0=ffffff9c a1=7f5f00001c50 a2=201 a3=0 items=0 ppid=1 pid=291144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtstorage" exe="/usr/sbin/virtstoraged" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.381:13978): avc:  denied  { write } for  pid=291144 comm="rpc-virtstorage" name="vport_create" dev="sysfs" ino=45743 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.387:13979): proctitle=2F7573722F7362696E2F7669727473746F7261676564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719223863.387:13979): arch=c000003e syscall=21 success=yes exit=0 a0=7f5f00000fc8 a1=1 a2=9 a3=7f5f000008e0 items=0 ppid=1 pid=291144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtstorage" exe="/usr/sbin/virtstoraged" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.387:13979): avc:  denied  { execute } for  pid=291144 comm="rpc-virtstorage" name="udevadm" dev="dm-0" ino=67116487 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.389:13980): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=PATH msg=audit(1719223863.389:13980): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=67110910 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719223863.389:13980): cwd="/"
type=EXECVE msg=audit(1719223863.389:13980): argc=2 a0="/usr/sbin/udevadm" a1="settle"
type=SYSCALL msg=audit(1719223863.389:13980): arch=c000003e syscall=59 success=yes exit=0 a0=7f5f00002450 a1=7f5f00002490 a2=7ffffb6605d8 a3=7f5f000008e0 items=1 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.389:13980): avc:  denied  { map } for  pid=291297 comm="udevadm" path="/usr/bin/udevadm" dev="dm-0" ino=67116487 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719223863.389:13980): avc:  denied  { execute_no_trans } for  pid=291297 comm="rpc-virtstorage" path="/usr/bin/udevadm" dev="dm-0" ino=67116487 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:udev_exec_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.394:13981): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.394:13981): arch=c000003e syscall=9 success=yes exit=140214649339904 a0=0 a1=1000 a2=1 a3=1 items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.394:13981): avc:  denied  { map } for  pid=291297 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.394:13982): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=PATH msg=audit(1719223863.394:13982): item=0 name="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" inode=69417026 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:file_context_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719223863.394:13982): cwd="/"
type=SYSCALL msg=audit(1719223863.394:13982): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=562f105d7bb0 a2=80000 a3=0 items=1 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.394:13982): avc:  denied  { open } for  pid=291297 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="dm-0" ino=69417026 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719223863.394:13982): avc:  denied  { read } for  pid=291297 comm="udevadm" name="file_contexts.subs_dist" dev="dm-0" ino=69417026 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719223863.394:13982): avc:  denied  { search } for  pid=291297 comm="udevadm" name="files" dev="dm-0" ino=67116207 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1719223863.394:13982): avc:  denied  { search } for  pid=291297 comm="udevadm" name="contexts" dev="dm-0" ino=7538 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.394:13983): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.394:13983): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffcc04d2a60 a2=8 a3=0 items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.394:13983): avc:  denied  { getattr } for  pid=291297 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.subs_dist" dev="dm-0" ino=69417026 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.394:13984): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.394:13984): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7ffcc04d0c50 a2=7ffcc04d1dc8 a3=0 items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.394:13984): avc:  denied  { getattr } for  pid=291297 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts" dev="dm-0" ino=71057019 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.394:13985): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.394:13985): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffcc04d1ef0 a2=80000 a3=0 items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.394:13985): avc:  denied  { open } for  pid=291297 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="dm-0" ino=71057021 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1719223863.394:13985): avc:  denied  { read } for  pid=291297 comm="udevadm" name="file_contexts.bin" dev="dm-0" ino=71057021 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.394:13986): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.394:13986): arch=c000003e syscall=9 success=yes exit=140214632853504 a0=0 a1=90188 a2=1 a3=2 items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.394:13986): avc:  denied  { map } for  pid=291297 comm="udevadm" path="/etc/selinux/targeted/contexts/files/file_contexts.bin" dev="dm-0" ino=71057021 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.396:13987): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=PATH msg=audit(1719223863.396:13987): item=0 name="/proc/1/root" inode=128 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1719223863.396:13987): cwd="/"
type=SYSCALL msg=audit(1719223863.396:13987): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7f864430d549 a2=7ffcc04d4080 a3=0 items=1 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.396:13987): avc:  denied  { read } for  pid=291297 comm="udevadm" name="root" dev="proc" ino=7189 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.397:13988): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.397:13988): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=562f105d9e20 a2=14 a3=b items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.397:13988): avc:  denied  { connectto } for  pid=291297 comm="udevadm" path="/run/udev/control" scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1719223863.397:13988): avc:  denied  { write } for  pid=291297 comm="udevadm" name="control" dev="tmpfs" ino=778 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=sock_file permissive=1
----
time->Mon Jun 24 06:11:03 2024
type=PROCTITLE msg=audit(1719223863.397:13989): proctitle=2F7573722F7362696E2F7564657661646D00736574746C65
type=SYSCALL msg=audit(1719223863.397:13989): arch=c000003e syscall=254 success=yes exit=1 a0=5 a1=7ffcc04d3f90 a2=200 a3=0 items=0 ppid=291144 pid=291297 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udevadm" exe="/usr/bin/udevadm" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223863.397:13989): avc:  denied  { watch } for  pid=291297 comm="udevadm" path="/run/udev" dev="tmpfs" ino=56 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
----
time->Mon Jun 24 06:11:08 2024
type=PROCTITLE msg=audit(1719223868.412:13990): proctitle=2F7573722F7362696E2F7669727473746F7261676564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719223868.412:13990): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7f5f00000b90 a2=7f5f08bff870 a3=0 items=0 ppid=1 pid=291144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="scsi-refresh" exe="/usr/sbin/virtstoraged" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223868.412:13990): avc:  denied  { getattr } for  pid=291144 comm="scsi-refresh" path="/dev/sda" dev="devtmpfs" ino=440 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 06:11:08 2024
type=PROCTITLE msg=audit(1719223868.412:13991): proctitle=2F7573722F7362696E2F7669727473746F7261676564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719223868.412:13991): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7f5f00000b90 a2=7f5f08bff870 a3=0 items=0 ppid=1 pid=291144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="scsi-refresh" exe="/usr/sbin/virtstoraged" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223868.412:13991): avc:  denied  { getattr } for  pid=291144 comm="scsi-refresh" path="/dev/sr0" dev="devtmpfs" ino=479 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 06:11:08 2024
type=PROCTITLE msg=audit(1719223868.412:13992): proctitle=2F7573722F7362696E2F7669727473746F7261676564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719223868.412:13992): arch=c000003e syscall=257 success=yes exit=19 a0=ffffff9c a1=7f5ebc029cd0 a2=900 a3=0 items=0 ppid=1 pid=291144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="scsi-refresh" exe="/usr/sbin/virtstoraged" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223868.412:13992): avc:  denied  { open } for  pid=291144 comm="scsi-refresh" path="/dev/sde" dev="devtmpfs" ino=3830 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1719223868.412:13992): avc:  denied  { read } for  pid=291144 comm="scsi-refresh" name="sde" dev="devtmpfs" ino=3830 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 06:11:08 2024
type=PROCTITLE msg=audit(1719223868.417:13993): proctitle=2F6C69622F756465762F736373695F6964002D2D7265706C6163652D77686974657370616365002D2D77686974656C6973746564002D2D6578706F7274002D2D646576696365002F6465762F6469736B2F62792D706174682F7063692D303030303A30363A30302E312D66632D3078353030353037363831323136336234622D
type=SYSCALL msg=audit(1719223868.417:13993): arch=c000003e syscall=16 success=no exit=-22 a0=3 a1=2285 a2=7ffda38e5a20 a3=0 items=0 ppid=291144 pid=291360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="scsi_id" exe="/usr/lib/udev/scsi_id" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223868.417:13993): avc:  denied  { ioctl } for  pid=291360 comm="scsi_id" path="/dev/sde" dev="devtmpfs" ino=3830 ioctlcmd=0x2285 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
----
time->Mon Jun 24 06:11:08 2024
type=PROCTITLE msg=audit(1719223868.417:13994): proctitle=2F6C69622F756465762F736373695F6964002D2D7265706C6163652D77686974657370616365002D2D77686974656C6973746564002D2D6578706F7274002D2D646576696365002F6465762F6469736B2F62792D706174682F7063692D303030303A30363A30302E312D66632D3078353030353037363831323136336234622D
type=SYSCALL msg=audit(1719223868.417:13994): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=2285 a2=7ffda38e59c0 a3=0 items=0 ppid=291144 pid=291360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="scsi_id" exe="/usr/lib/udev/scsi_id" subj=system_u:system_r:virtstoraged_t:s0 key=(null)
type=AVC msg=audit(1719223868.417:13994): avc:  denied  { sys_rawio } for  pid=291360 comm="scsi_id" capability=17  scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:system_r:virtstoraged_t:s0 tclass=capability permissive=1

      Expected results

      No AVC denied errors

      Actual results

            rhn-support-zpytela Zdenek Pytela
            rhn-support-fjin Fangge Jin
            Zdenek Pytela Zdenek Pytela
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: