-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0.beta
-
selinux-policy-40.13.24-1.el10
-
Yes
-
Critical
-
3
-
rhel-sst-security-selinux
-
ssg_security
-
25
-
3
-
False
-
-
No
-
SELINUX 241127 - 241218, SELINUX 250129: 1, SELINUX 250219: 2
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
VM migrate fail with ssh desturi when enable selinux
Please provide the package NVR for which bug is seen:
libvirt-10.5.0-5.el10.x86_64
qemu-kvm-9.0.0-6.el10.x86_64
selinux-policy-40.13.7-1.el10.noarch
swtpm-0.9.0-2.el10.x86_64
swtpm-selinux-0.9.0-2.el10.noarch
How reproducible:
100%
Steps to reproduce:
1. Prepare source host and target host. And copy source host's SSH public key to target host.
2. Prepare VM on source host. Start VM.
3. Prepare port.
# firewall-cmd --add-port=49152/tcp --zone=public --permanent
# firewall-cmd --reload
4. VM migrate.
# virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain avocado-vt-vm1 --desturi qemu+ssh://\{target ip}/system
error: Cannot recv data: libvirt: error : cannot execute binary ssh: Permission denied: Connection reset by peer
5. No avc denied error reported, but migration can complete successfully when selinux mode is permissive.
Expected results:
VM migrate successful.
Actual results:
VM migrate fail.
Additional info:
When permissive status, vm migrate successful.
# getenforce
Permissive
# virsh -c 'qemu:///system' migrate --live --p2p --verbose --domain avocado-vt-vm1 --desturi qemu+ssh://\{target ip}}/system
Migration: [100.00 %]
- links to
-
RHBA-2024:140162
selinux-policy bug fix and enhancement update