Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56955

[rhel-9] AVC denied after starting guest with block lun disk which enables rawio capability

    • rhel-sst-security-selinux
    • ssg_security
    • 3
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • Automated
    • None

      What were you trying to do that didn't work?

      AVC denied after starting guest with block lun disk which enables rawio capability

      Please provide the package NVR for which bug is seen:

      libvirt-10.5.0-4.el9.x86_64
      qemu-kvm-9.0.0-7.el9.x86_64
      kernel-5.14.0-480.el9.x86_64
      kernel-5.14.0-494.el9.x86_64
      selinux-policy-38.1.43-1.el9.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Start a guest with the following disk xml.

      # virsh dumpxml rhel --inactive --xpath //disk
      ......
      <disk type="block" device="lun" rawio="yes">
        <driver name="qemu" type="raw"/>
        <source dev="/dev/sdb"/>
        <target dev="sdb" bus="scsi"/>
        <address type="drive" controller="0" bus="0" target="0" unit="1"/>
      </disk>
      # virsh start rhel
      Domain 'rhel' started

      2. Check the /var/log/message.
      # tail -f /var/log/messages
      ......
      Aug 30 02:21:11 dell-per7525-08 setroubleshoot[251581]: SELinux is preventing /usr/libexec/qemu-kvm from using the sys_rawio capability. For complete SELinux messages run: sealert -l 20c5a6eb-9fc7-41d4-89dd-f8d3ca9d928d
      Aug 30 02:21:11 dell-per7525-08 setroubleshoot[251581]: SELinux is preventing /usr/libexec/qemu-kvm from using the sys_rawio capability.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that qemu-kvm should have the sys_rawio capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'worker' --raw | audit2allow -M my-worker#012# semodule -X 300 -i my-worker.pp#012
      ......

      3. Run `sealert -l 20c5a6eb-9fc7-41d4-89dd-f8d3ca9d928d` based on above message.
      ......
      Raw Audit Messages
      type=AVC msg=audit(1724998870.298:44601): avc:  denied  { sys_rawio } for  pid=251558 comm="worker" capability=17  scontext=system_u:system_r:svirt_t:s0:c12,c635 tcontext=system_u:system_r:svirt_t:s0:c12,c635 tclass=capability permissive=0

      type=SYSCALL msg=audit(1724998870.298:44601): arch=x86_64 syscall=ioctl success=yes exit=0 a0=e a1=2285 a2=56163c722a00 a3=0 items=0 ppid=1 pid=251558 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=worker exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c12,c635 key=(null)

      Hash: worker,svirt_t,svirt_t,capability,sys_rawio

      Expected results

      No AVC denied

      Actual results

      Has AVC denied

              rhn-support-zpytela Zdenek Pytela
              rhn-support-meili Meina Li
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: