-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0.beta
-
Yes
-
Critical
-
rhel-sst-security-selinux
-
ssg_security
-
3
-
False
-
-
Yes
-
Red Hat Enterprise Linux
-
None
-
-
None
-
None
-
Known Issue
-
When using the SELinux Enforcing mode, crypto passthrough won't work.
-
Proposed
-
-
s390x
-
None
What were you trying to do that didn't work?
Use mediated devices for vfio_ap (crypto device passthrough to KVM guests)
Please provide the package NVR for which bug is seen:
selinux-policy-40.13.7-1.el10.noarch
How reproducible:
100%
Steps to reproduce
All of the following steps will fail with enforcing. Switch between enforcing and permissive to record each step.
# cat vfio_ap_nodedev.xml <device> <!-- same parent device for all --> <parent>ap_matrix</parent> <capability type="mdev"> <type id="vfio_ap-passthrough"/> <uuid>d36d7d0f-cf3d-4fef-bb9c-ed393954996b</uuid> <attr name="assign_adapter" value="0x01"/> <attr name="assign_domain" value="0x0012"/> </capability> </device> # lszcrypt -V CARD.DOM TYPE MODE STATUS REQUESTS PENDING HWTYPE QDEPTH FUNCTIONS DRIVER -------------------------------------------------------------------------------------------- 01 CEX8C CCA-Coproc online 172 0 14 08 S--D--N-F- cex4card 01.0012 CEX8C CCA-Coproc unassigned - - 14 08 S--D--N-F- vfio_ap 01.0013 CEX8C CCA-Coproc unassigned - - 14 08 S--D--N-F- vfio_ap
- virsh define nodedev.xml - libvirt will report a device was defined, let it's name be nodedev
- virsh start nodedev
- virsh destroy nodedev
- virsh undefine nodedev
Expected results
all steps succeed with enforcing
Actual results
each step fails with enforcing but succeeds with permissive
Additional info
Full workflow with nodedev-define nodedev-start nodedev-destroy nodedev-undefine switching between enforcing and permissive
type=DAEMON_ROTATE msg=audit(1723190432.307:1355): op=rotate-logs auid=0 uid=0 ses=4294967295 pid=1 subj=system_u:system_r:init_t:s0 res=success^]AUID="root" UID="root" type=MAC_STATUS msg=audit(1723190445.667:2994): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1723190445.667:2994): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffd11f841c a2=1 a3=10 items=0 ppid=782251 pid=788181 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190445.667:2994): proctitle=736574656E666F7263650031 type=USER_MAC_STATUS msg=audit(1723190454.067:2995): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=AVC msg=audit(1723190454.087:2996): avc: denied { write } for pid=788231 comm="mdevctl" name="create" dev="sysfs" ino=94194 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1723190454.087:2996): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffe08f8d10 a2=80241 a3=1b6 items=0 ppid=787654 pid=788231 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190454.087:2996): proctitle=6D64657663746C007374617274002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662 type=MAC_STATUS msg=audit(1723190463.527:2997): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1723190463.527:2997): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffe1e78cfc a2=1 a3=10 items=0 ppid=782251 pid=788260 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190463.527:2997): proctitle=736574656E666F7263650030 type=USER_MAC_STATUS msg=audit(1723190465.137:2998): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=AVC msg=audit(1723190465.157:2999): avc: denied { write } for pid=788280 comm="mdevctl" name="create" dev="sysfs" ino=94194 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1723190465.157:2999): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3fffc5787b0 a2=80241 a3=1b6 items=0 ppid=787654 pid=788280 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190465.157:2999): proctitle=6D64657663746C007374617274002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662 type=MAC_STATUS msg=audit(1723190472.917:3000): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1723190472.917:3000): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fffd8f8dfc a2=1 a3=10 items=0 ppid=782251 pid=788335 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190472.917:3000): proctitle=736574656E666F7263650031 type=USER_MAC_STATUS msg=audit(1723190482.647:3001): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=AVC msg=audit(1723190482.667:3002): avc: denied { read } for pid=787654 comm="rpc-virtnodedev" name="4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=0 type=SYSCALL msg=audit(1723190482.667:3002): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ff9c002d80 a2=0 a3=0 items=0 ppid=1 pid=787654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190482.667:3002): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230 type=AVC msg=audit(1723190482.667:3003): avc: denied { write } for pid=788353 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="sysfs" ino=96107 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1723190482.667:3003): avc: denied { write } for pid=788353 comm="mdevctl" name="remove" dev="sysfs" ino=96109 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1723190482.667:3003): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3fffa4786f8 a2=80241 a3=1b6 items=1 ppid=787654 pid=788353 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=CWD msg=audit(1723190482.667:3003): cwd="/" type=PATH msg=audit(1723190482.667:3003): item=0 name="/sys/bus/mdev/devices/d36d7d0f-cf3d-4fef-bb9c-ed393954996b/remove" inode=96109 dev=00:16 mode=0100200 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root" type=PROCTITLE msg=audit(1723190482.667:3003): proctitle=6D64657663746C0073746F70002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662 type=MAC_STATUS msg=audit(1723190490.167:3004): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1723190490.167:3004): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fff9a78d6c a2=1 a3=10 items=0 ppid=782251 pid=788408 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190490.167:3004): proctitle=736574656E666F7263650030 type=USER_MAC_STATUS msg=audit(1723190492.257:3005): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=AVC msg=audit(1723190492.277:3006): avc: denied { read } for pid=787654 comm="rpc-virtnodedev" name="4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1723190492.277:3006): avc: denied { open } for pid=787654 comm="rpc-virtnodedev" path="/dev/vfio/4" dev="devtmpfs" ino=3051 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1 type=SYSCALL msg=audit(1723190492.277:3006): arch=80000016 syscall=288 success=yes exit=20 a0=ffffffffffffff9c a1=3ff7c000bd0 a2=0 a3=0 items=0 ppid=1 pid=787654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtnodedev" exe="/usr/sbin/virtnodedevd" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190492.277:3006): proctitle=2F7573722F7362696E2F766972746E6F646564657664002D2D74696D656F757400313230 type=AVC msg=audit(1723190492.277:3007): avc: denied { write } for pid=788422 comm="mdevctl" name="remove" dev="sysfs" ino=96109 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1723190492.277:3007): arch=80000016 syscall=288 success=yes exit=3 a0=ffffffffffffff9c a1=3ffff378548 a2=80241 a3=1b6 items=0 ppid=787654 pid=788422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190492.277:3007): proctitle=6D64657663746C0073746F70002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662 type=MAC_STATUS msg=audit(1723190497.157:3008): enforcing=1 old_enforcing=0 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1723190497.157:3008): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3fff607880c a2=1 a3=10 items=0 ppid=782251 pid=788439 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190497.157:3008): proctitle=736574656E666F7263650031 type=USER_MAC_STATUS msg=audit(1723190505.927:3009): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=1 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=AVC msg=audit(1723190505.947:3010): avc: denied { write } for pid=788466 comm="mdevctl" name="matrix" dev="dm-9" ino=68150223 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1723190505.947:3010): arch=80000016 syscall=10 success=no exit=-13 a0=3ffec978f78 a1=3ffec978f78 a2=3b a3=3a items=0 ppid=787654 pid=788466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=unlink AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190505.947:3010): proctitle=6D64657663746C00756E646566696E65002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662 type=MAC_STATUS msg=audit(1723190514.167:3011): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1723190514.167:3011): arch=80000016 syscall=4 success=yes exit=1 a0=3 a1=3ffc06f882c a2=1 a3=10 items=0 ppid=782251 pid=788514 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190514.167:3011): proctitle=736574656E666F7263650030 type=USER_MAC_STATUS msg=audit(1723190516.697:3012): pid=4956 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: op=setenforce lsm=selinux enforcing=0 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" type=AVC msg=audit(1723190516.707:3013): avc: denied { write } for pid=788524 comm="mdevctl" name="matrix" dev="dm-9" ino=68150223 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1723190516.707:3013): avc: denied { remove_name } for pid=788524 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="dm-9" ino=68150129 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1723190516.707:3013): avc: denied { unlink } for pid=788524 comm="mdevctl" name="d36d7d0f-cf3d-4fef-bb9c-ed393954996b" dev="dm-9" ino=68150129 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1723190516.707:3013): arch=80000016 syscall=10 success=yes exit=0 a0=3ffe4679538 a1=3ffe4679538 a2=3b a3=3a items=0 ppid=787654 pid=788524 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mdevctl" exe="/usr/sbin/mdevctl" subj=system_u:system_r:virtnodedevd_t:s0 key=(null)^]ARCH=s390x SYSCALL=unlink AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1723190516.707:3013): proctitle=6D64657663746C00756E646566696E65002D2D757569643D64333664376430662D636633642D346665662D626239632D656433393339353439393662
- is related to
-
RHEL-39890 Can't create vfio-ap passthrough setup
- Release Pending
- relates to
-
RHEL-39893 Can't create vfio-ccw passthrough setup
- Planning
- links to