Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:
- known_issue_100
- virt-selinux

Regression:
Yes
Severity:
Critical
Epic Link:
SELINUX-3594

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Story Points:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Known Issue
Release Note Text:
When using the SELinux Enforcing mode, crypto passthrough won't work.
Release Note Status:
Proposed

Experience:
Architecture:

s390x

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Use mediated devices for vfio_ap (crypto device passthrough to KVM guests)

Please provide the package NVR for which bug is seen:

selinux-policy-40.13.7-1.el10.noarch

How reproducible:

100%

Steps to reproduce

All of the following steps will fail with enforcing. Switch between enforcing and permissive to record each step.

 # cat vfio_ap_nodedev.xml 
<device>
	<!-- same parent device for all -->
	<parent>ap_matrix</parent>
	<capability type="mdev">
		<type id="vfio_ap-passthrough"/>
		<uuid>d36d7d0f-cf3d-4fef-bb9c-ed393954996b</uuid>
		<attr name="assign_adapter" value="0x01"/>
		<attr name="assign_domain" value="0x0012"/>
	</capability>
</device>
# lszcrypt -V
CARD.DOM TYPE  MODE        STATUS     REQUESTS  PENDING HWTYPE QDEPTH FUNCTIONS  DRIVER     
--------------------------------------------------------------------------------------------
01       CEX8C CCA-Coproc  online          172        0     14     08 S--D--N-F- cex4card   
01.0012  CEX8C CCA-Coproc  unassigned        -        -     14     08 S--D--N-F- vfio_ap    
01.0013  CEX8C CCA-Coproc  unassigned        -        -     14     08 S--D--N-F- vfio_ap

virsh define nodedev.xml - libvirt will report a device was defined, let it's name be nodedev
virsh start nodedev
virsh destroy nodedev
virsh undefine nodedev

Expected results

all steps succeed with enforcing

Actual results

each step fails with enforcing but succeeds with permissive

Additional info

Full workflow with nodedev-define nodedev-start nodedev-destroy nodedev-undefine switching between enforcing and permissive

type=DAEMON_ROTATE msg=audit(1723190432.307:1355): op=rotate-logs auid=0 uid=0 ses=4294967295 pid=1 subj=system_u:system_r:init_t:s0 res=success^]AUID="root" UID="root"
type=MAC_STATUS msg=audit(1723190445.667:2994): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1723190445.667:2994): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffd11f841c a2=1 a3=10 items=0 ppid=782251 pid=788181 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190445.667:2994): proctitle=736574656E666F7263650031
type=USER_MAC_STATUS msg=audit(1723190454.067:2995): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1723190454.087:2996): avc:  denied  { write } for  pid=788231 comm="mdevctl" name="create" dev="sysfs" ino=94194 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1723190454.087:2996): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffe08f8d10 a2=80241 a3=1b6 items=0 ppid=787654 pid=788231 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190454.087:2996): proctitle=6D64657663746C007374617274002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
type=MAC_STATUS msg=audit(1723190463.527:2997): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1723190463.527:2997): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffe1e78cfc a2=1 a3=10 items=0 ppid=782251 pid=788260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190463.527:2997): proctitle=736574656E666F7263650030
type=USER_MAC_STATUS msg=audit(1723190465.137:2998): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1723190465.157:2999): avc:  denied  { write } for  pid=788280 comm="mdevctl" name="create" dev="sysfs" ino=94194 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1723190465.157:2999): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3fffc5787b0 a2=80241 a3=1b6 items=0 ppid=787654 pid=788280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190465.157:2999): proctitle=6D64657663746C007374617274002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
type=MAC_STATUS msg=audit(1723190472.917:3000): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1723190472.917:3000): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fffd8f8dfc a2=1 a3=10 items=0 ppid=782251 pid=788335 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190472.917:3000): proctitle=736574656E666F7263650031
type=USER_MAC_STATUS msg=audit(1723190482.647:3001): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1723190482.667:3002): avc:  denied  { read } for  pid=787654 comm="rpc-virtnodedev" name="4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(1723190482.667:3002): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ff9c002d80 a2=0 a3=0 items=0 ppid=1 pid=787654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190482.667:3002): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=AVC msg=audit(1723190482.667:3003): avc:  denied  { write } for  pid=788353 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="sysfs" ino=96107 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1723190482.667:3003): avc:  denied  { write } for  pid=788353 comm="mdevctl" name="remove" dev="sysfs" ino=96109 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1723190482.667:3003): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3fffa4786f8 a2=80241 a3=1b6 items=1 ppid=787654 pid=788353 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1723190482.667:3003): cwd="/"
type=PATH msg=audit(1723190482.667:3003): item=0 name="/sys/bus/mdev/devices/d36d7d0f-cf3d-4fef-bb9c-ed393954996b/remove" inode=96109 dev=00:16 mode=0100200 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
type=PROCTITLE msg=audit(1723190482.667:3003): proctitle=6D64657663746C0073746F70002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
type=MAC_STATUS msg=audit(1723190490.167:3004): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1723190490.167:3004): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fff9a78d6c a2=1 a3=10 items=0 ppid=782251 pid=788408 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190490.167:3004): proctitle=736574656E666F7263650030
type=USER_MAC_STATUS msg=audit(1723190492.257:3005): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1723190492.277:3006): avc:  denied  { read } for  pid=787654 comm="rpc-virtnodedev" name="4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1723190492.277:3006): avc:  denied  { open } for  pid=787654 comm="rpc-virtnodedev" path="/dev/vfio/4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1
type=SYSCALL msg=audit(1723190492.277:3006): arch=80000016 syscall=288 success=yes exit=20 a0=ffffffffffffff9c a1=3ff7c000bd0 a2=0 a3=0 items=0 ppid=1 pid=787654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190492.277:3006): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
type=AVC msg=audit(1723190492.277:3007): avc:  denied  { write } for  pid=788422 comm="mdevctl" name="remove" dev="sysfs" ino=96109 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1723190492.277:3007): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ffff378548 a2=80241 a3=1b6 items=0 ppid=787654 pid=788422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190492.277:3007): proctitle=6D64657663746C0073746F70002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
type=MAC_STATUS msg=audit(1723190497.157:3008): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1723190497.157:3008): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fff607880c a2=1 a3=10 items=0 ppid=782251 pid=788439 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190497.157:3008): proctitle=736574656E666F7263650031
type=USER_MAC_STATUS msg=audit(1723190505.927:3009): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1723190505.947:3010): avc:  denied  { write } for  pid=788466 comm="mdevctl" name="matrix" dev="dm-9" ino=68150223 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1723190505.947:3010): arch=80000016 syscall=10 success=no exit=-13 a0=3ffec978f78 a1=3ffec978f78 a2=3b a3=3a items=0 ppid=787654 pid=788466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=unlink AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190505.947:3010): proctitle=6D64657663746C00756E646566696E65002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
type=MAC_STATUS msg=audit(1723190514.167:3011): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1723190514.167:3011): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffc06f882c a2=1 a3=10 items=0 ppid=782251 pid=788514 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190514.167:3011): proctitle=736574656E666F7263650030
type=USER_MAC_STATUS msg=audit(1723190516.697:3012): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
type=AVC msg=audit(1723190516.707:3013): avc:  denied  { write } for  pid=788524 comm="mdevctl" name="matrix" dev="dm-9" ino=68150223 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723190516.707:3013): avc:  denied  { remove_name } for  pid=788524 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="dm-9" ino=68150129 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1723190516.707:3013): avc:  denied  { unlink } for  pid=788524 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="dm-9" ino=68150129 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1723190516.707:3013): arch=80000016 syscall=10 success=yes exit=0 a0=3ffe4679538 a1=3ffe4679538 a2=3b a3=3a items=0 ppid=787654 pid=788524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=unlink AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1723190516.707:3013): proctitle=6D64657663746C00756E646566696E65002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662

is related to

RHEL-39890 Can't create vfio-ap passthrough setup

Release Pending

links to

IBM Bug 208827

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Additional info

Attachments

Issue Links

Activity

People

Dates