Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-44932

AVC denied when virtnodedevd works with access_driver=polkit

XMLWordPrintable

    • sst_security_selinux
    • ssg_security
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Automated
    • None

      What were you trying to do that didn't work?

      Set access_driver to polkit for virtnodedevd.service, there are avc errors.
      Functionality is not affected

      Please provide the package NVR for which bug is seen:

      libvirt-10.4.0-1.el10.x86_64
      selinux-policy-40.13.3-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Set access_driver to polkit for virtnodedevd 
        [root@dell-per730-58 ~]# cat /etc/libvirt/virtnodedevd.conf 
access_drivers = ["polkit"]
auth_unix_rw = "none"
[root@dell-per730-58 ~]# systemctl restart virtnodedevd
      2. Create a non-root user 
        [root@dell-per730-58 ~]# useradd testacl
      3. Connect to virtnodedevd and try to list nodes: 
        [root@dell-per730-58 ~]# su - testacl -c '/usr/bin/virsh -c 'nodedev:///system'  nodedev-list'
block_sda_36d09466034d5f90021f164ab18df4006
block_sdb_360050768128001da5800000000000008
block_sdc_360050768128001da5800000000000008
block_sdd_360050768128001da5800000000000009
block_sde_360050768128001da5800000000000009
block_sr0_HL_DT_ST_DVD_ROM_DTA0N_KZQHC5E1300
computer
...skipped...
      4. Check audit log 
        ----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.915:17323): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.915:17323): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff4f0 a2=2d a3=11 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.915:17323): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.DynamicUser" dev="tmpfs" ino=48 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.915:17324): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.915:17324): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff4f0 a2=28 a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.915:17324): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.Multiplexer" dev="tmpfs" ino=779 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.915:17325): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.915:17325): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff4f0 a2=26 a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.915:17325): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.Home" dev="tmpfs" ino=1910 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.915:17326): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.915:17326): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff4f0 a2=29 a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.915:17326): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.Machine" dev="tmpfs" ino=2639 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.915:17327): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.915:17327): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff470 a2=2d a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.915:17327): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.DynamicUser" dev="tmpfs" ino=48 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.916:17328): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.916:17328): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff470 a2=28 a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.916:17328): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.Multiplexer" dev="tmpfs" ino=779 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.916:17329): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.916:17329): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff470 a2=26 a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.916:17329): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.Home" dev="tmpfs" ino=1910 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0
----
time->Tue Jun 25 05:15:49 2024
type=PROCTITLE msg=audit(1719306949.916:17330): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=SYSCALL msg=audit(1719306949.916:17330): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f22655ff470 a2=29 a3=7f22380008e0 items=0 ppid=1 pid=555535 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtno" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)
type=AVC msg=audit(1719306949.916:17330): avc:  denied  { write } for  pid=555535 comm="prio-rpc-virtno" name="io.systemd.Machine" dev="tmpfs" ino=2639 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=sock_file permissive=0

      Expected results

      No avc errors

      Actual results

            rhn-support-zpytela Zdenek Pytela
            rhn-support-fjin Fangge Jin
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: