Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-50377

[SPR-EE] selinux prevent qatlib to chown

XMLWordPrintable

    • selinux-policy-40.13.7-1.el10
    • No
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 25
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      SELinux policy allows the execution of chown and chmod commands as listed in the /usr/sbin/qat_init.sh. The qatlib service starts and runs successfully on special purpose HW.

      Show
      SELinux policy allows the execution of chown and chmod commands as listed in the /usr/sbin/qat_init.sh. The qatlib service starts and runs successfully on special purpose HW.
    • Pass
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      start qat serive on SPR-EE system, then the avc error come up

      Please provide the package NVR for which bug is seen:

      hardware - Dell Inc. PowerEdge R760 (SKU=0A6B;ModelName=PowerEdge R760)
      Intel(R) Xeon(R) Gold 6438Y+

      kernel-6.10.0-15.el10.x86_64

      root@netqe01 ~]# rpm -qa |grep selinux
      libselinux-3.7-2.el10.x86_64
      libselinux-utils-3.7-2.el10.x86_64
      python3-libselinux-3.7-2.el10.x86_64
      selinux-policy-40.13.5-1.el10.noarch
      selinux-policy-targeted-40.13.5-1.el10.noarch
      rpm-plugin-selinux-4.19.1.1-1.el10.x86_64

      ##lsmod |grep  qat
      qat_4xxx               20480  0
      intel_qat             520192  1 qat_4xxx
      crc8                   12288  1 intel_qat

      How reproducible:

      5/5

      Steps to reproduce

      1.setup hugepage and  intel_iommu=on,sm_on before start qat

      2.install some package 

      dnf install -y git autoconf automake libtool zlib-devel qatengine
dnf install -y qatlib
dnf install -y openssl-devel 
      ###then start qat
systemctl start qat

      Expected results

      there is no avc error

      Actual results

      check the /var/log/audit.log there is avc error

       

      type=AVC msg=audit(1721808223.923:176): avc:  denied  { read } for  pid=4215 comm="chown" name="userdb" dev="tmpfs" ino=47 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1721808223.923:176): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f0a71193250 a2=90800 a3=0 items=0 ppid=4152 pid=4215 auid=4294967295 uid=0 gid=991 euid=0 suid=0 fsuid=0 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="chown" exe="/usr/bin/chown" subj=system_u:system_r:qatlib_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="qat" EUID="root" SUID="root" FSUID="root" EGID="qat" SGID="qat" FSGID="qat"
type=PROCTITLE msg=audit(1721808223.923:176): proctitle=63686F776E003A716174002F6465762F7666696F2F323939
type=AVC msg=audit(1721808223.923:177): avc:  denied  { read } for  pid=4215 comm="chown" name="userdb" dev="tmpfs" ino=47 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0

       

        1. ausearch_output.txt
          9 kB

              rhn-support-zpytela Zdenek Pytela
              rh-ee-jiqiu Jiying Qiu
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: