Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-54302

Can't use vfio-ap devices with selinux enabled

    • rhel-sst-security-selinux
    • ssg_security
    • 3
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • None
    • Known Issue
    • When using the SELinux Enforcing mode, crypto passthrough won't work.
    • Proposed
    • s390x
    • None

      What were you trying to do that didn't work?

      Use mediated devices for vfio_ap (crypto device passthrough to KVM guests)

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.7-1.el10.noarch
       

      How reproducible:

      100%

      Steps to reproduce

      All of the following steps will fail with enforcing. Switch between enforcing and permissive to record each step.

      1.  # cat vfio_ap_nodedev.xml 
        <device>
        	<!-- same parent device for all -->
        	<parent>ap_matrix</parent>
        	<capability type="mdev">
        		<type id="vfio_ap-passthrough"/>
        		<uuid>d36d7d0f-cf3d-4fef-bb9c-ed393954996b</uuid>
        		<attr name="assign_adapter" value="0x01"/>
        		<attr name="assign_domain" value="0x0012"/>
        	</capability>
        </device>
        # lszcrypt -V
        CARD.DOM TYPE  MODE        STATUS     REQUESTS  PENDING HWTYPE QDEPTH FUNCTIONS  DRIVER     
        --------------------------------------------------------------------------------------------
        01       CEX8C CCA-Coproc  online          172        0     14     08 S--D--N-F- cex4card   
        01.0012  CEX8C CCA-Coproc  unassigned        -        -     14     08 S--D--N-F- vfio_ap    
        01.0013  CEX8C CCA-Coproc  unassigned        -        -     14     08 S--D--N-F- vfio_ap    
      2.  virsh define nodedev.xml - libvirt will report a device was defined, let it's name be nodedev
      3.  virsh start nodedev
      4.  virsh destroy nodedev
      5. virsh undefine nodedev

      Expected results

      all steps succeed with enforcing

      Actual results

      each step fails with enforcing but succeeds with permissive

      Additional info

      Full workflow with nodedev-define nodedev-start nodedev-destroy nodedev-undefine switching between enforcing and permissive

      type=DAEMON_ROTATE msg=audit(1723190432.307:1355): op=rotate-logs auid=0 uid=0 ses=4294967295 pid=1 subj=system_u:system_r:init_t:s0 res=success^]AUID="root" UID="root"
      type=MAC_STATUS msg=audit(1723190445.667:2994): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
      type=SYSCALL msg=audit(1723190445.667:2994): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffd11f841c a2=1 a3=10 items=0 ppid=782251 pid=788181 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190445.667:2994): proctitle=736574656E666F7263650031
      type=USER_MAC_STATUS msg=audit(1723190454.067:2995): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
      type=AVC msg=audit(1723190454.087:2996): avc:  denied  { write } for  pid=788231 comm="mdevctl" name="create" dev="sysfs" ino=94194 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
      type=SYSCALL msg=audit(1723190454.087:2996): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffe08f8d10 a2=80241 a3=1b6 items=0 ppid=787654 pid=788231 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190454.087:2996): proctitle=6D64657663746C007374617274002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
      type=MAC_STATUS msg=audit(1723190463.527:2997): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
      type=SYSCALL msg=audit(1723190463.527:2997): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffe1e78cfc a2=1 a3=10 items=0 ppid=782251 pid=788260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190463.527:2997): proctitle=736574656E666F7263650030
      type=USER_MAC_STATUS msg=audit(1723190465.137:2998): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
      type=AVC msg=audit(1723190465.157:2999): avc:  denied  { write } for  pid=788280 comm="mdevctl" name="create" dev="sysfs" ino=94194 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
      type=SYSCALL msg=audit(1723190465.157:2999): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3fffc5787b0 a2=80241 a3=1b6 items=0 ppid=787654 pid=788280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190465.157:2999): proctitle=6D64657663746C007374617274002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
      type=MAC_STATUS msg=audit(1723190472.917:3000): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
      type=SYSCALL msg=audit(1723190472.917:3000): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fffd8f8dfc a2=1 a3=10 items=0 ppid=782251 pid=788335 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190472.917:3000): proctitle=736574656E666F7263650031
      type=USER_MAC_STATUS msg=audit(1723190482.647:3001): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
      type=AVC msg=audit(1723190482.667:3002): avc:  denied  { read } for  pid=787654 comm="rpc-virtnodedev" name="4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=0
      type=SYSCALL msg=audit(1723190482.667:3002): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ff9c002d80 a2=0 a3=0 items=0 ppid=1 pid=787654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190482.667:3002): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
      type=AVC msg=audit(1723190482.667:3003): avc:  denied  { write } for  pid=788353 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="sysfs" ino=96107 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
      type=AVC msg=audit(1723190482.667:3003): avc:  denied  { write } for  pid=788353 comm="mdevctl" name="remove" dev="sysfs" ino=96109 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
      type=SYSCALL msg=audit(1723190482.667:3003): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3fffa4786f8 a2=80241 a3=1b6 items=1 ppid=787654 pid=788353 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=CWD msg=audit(1723190482.667:3003): cwd="/"
      type=PATH msg=audit(1723190482.667:3003): item=0 name="/sys/bus/mdev/devices/d36d7d0f-cf3d-4fef-bb9c-ed393954996b/remove" inode=96109 dev=00:16 mode=0100200 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
      type=PROCTITLE msg=audit(1723190482.667:3003): proctitle=6D64657663746C0073746F70002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
      type=MAC_STATUS msg=audit(1723190490.167:3004): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
      type=SYSCALL msg=audit(1723190490.167:3004): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fff9a78d6c a2=1 a3=10 items=0 ppid=782251 pid=788408 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190490.167:3004): proctitle=736574656E666F7263650030
      type=USER_MAC_STATUS msg=audit(1723190492.257:3005): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
      type=AVC msg=audit(1723190492.277:3006): avc:  denied  { read } for  pid=787654 comm="rpc-virtnodedev" name="4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1
      type=AVC msg=audit(1723190492.277:3006): avc:  denied  { open } for  pid=787654 comm="rpc-virtnodedev" path="/dev/vfio/4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1
      type=SYSCALL msg=audit(1723190492.277:3006): arch=80000016 syscall=288 success=yes exit=20 a0=ffffffffffffff9c a1=3ff7c000bd0 a2=0 a3=0 items=0 ppid=1 pid=787654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190492.277:3006): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230
      type=AVC msg=audit(1723190492.277:3007): avc:  denied  { write } for  pid=788422 comm="mdevctl" name="remove" dev="sysfs" ino=96109 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
      type=SYSCALL msg=audit(1723190492.277:3007): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ffff378548 a2=80241 a3=1b6 items=0 ppid=787654 pid=788422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190492.277:3007): proctitle=6D64657663746C0073746F70002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
      type=MAC_STATUS msg=audit(1723190497.157:3008): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
      type=SYSCALL msg=audit(1723190497.157:3008): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fff607880c a2=1 a3=10 items=0 ppid=782251 pid=788439 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190497.157:3008): proctitle=736574656E666F7263650031
      type=USER_MAC_STATUS msg=audit(1723190505.927:3009): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
      type=AVC msg=audit(1723190505.947:3010): avc:  denied  { write } for  pid=788466 comm="mdevctl" name="matrix" dev="dm-9" ino=68150223 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
      type=SYSCALL msg=audit(1723190505.947:3010): arch=80000016 syscall=10 success=no exit=-13 a0=3ffec978f78 a1=3ffec978f78 a2=3b a3=3a items=0 ppid=787654 pid=788466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=unlink AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190505.947:3010): proctitle=6D64657663746C00756E646566696E65002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
      type=MAC_STATUS msg=audit(1723190514.167:3011): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
      type=SYSCALL msg=audit(1723190514.167:3011): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffc06f882c a2=1 a3=10 items=0 ppid=782251 pid=788514 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190514.167:3011): proctitle=736574656E666F7263650030
      type=USER_MAC_STATUS msg=audit(1723190516.697:3012): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus"
      type=AVC msg=audit(1723190516.707:3013): avc:  denied  { write } for  pid=788524 comm="mdevctl" name="matrix" dev="dm-9" ino=68150223 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
      type=AVC msg=audit(1723190516.707:3013): avc:  denied  { remove_name } for  pid=788524 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="dm-9" ino=68150129 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
      type=AVC msg=audit(1723190516.707:3013): avc:  denied  { unlink } for  pid=788524 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="dm-9" ino=68150129 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
      type=SYSCALL msg=audit(1723190516.707:3013): arch=80000016 syscall=10 success=yes exit=0 a0=3ffe4679538 a1=3ffe4679538 a2=3b a3=3a items=0 ppid=787654 pid=788524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=unlink AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
      type=PROCTITLE msg=audit(1723190516.707:3013): proctitle=6D64657663746C00756E646566696E65002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662

       

       

              rhn-support-zpytela Zdenek Pytela
              smitterl@redhat.com Sebastian Mitterle
              Lukas Vrabec, Zdenek Pytela
              IBM Confidential Group
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: