-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.5
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
3
-
QE ack
-
False
-
-
None
-
None
-
-
None
-
Automated
-
None
What were you trying to do that didn't work?
AVC denied after starting guest with block lun disk which enables rawio capability
Please provide the package NVR for which bug is seen:
libvirt-10.5.0-4.el9.x86_64
qemu-kvm-9.0.0-7.el9.x86_64
kernel-5.14.0-480.el9.x86_64
kernel-5.14.0-494.el9.x86_64
selinux-policy-38.1.43-1.el9.noarch
How reproducible:
100%
Steps to reproduce
1. Start a guest with the following disk xml.
# virsh dumpxml rhel --inactive --xpath //disk
......
<disk type="block" device="lun" rawio="yes">
<driver name="qemu" type="raw"/>
<source dev="/dev/sdb"/>
<target dev="sdb" bus="scsi"/>
<address type="drive" controller="0" bus="0" target="0" unit="1"/>
</disk>
# virsh start rhel
Domain 'rhel' started
2. Check the /var/log/message.
# tail -f /var/log/messages
......
Aug 30 02:21:11 dell-per7525-08 setroubleshoot[251581]: SELinux is preventing /usr/libexec/qemu-kvm from using the sys_rawio capability. For complete SELinux messages run: sealert -l 20c5a6eb-9fc7-41d4-89dd-f8d3ca9d928d
Aug 30 02:21:11 dell-per7525-08 setroubleshoot[251581]: SELinux is preventing /usr/libexec/qemu-kvm from using the sys_rawio capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that qemu-kvm should have the sys_rawio capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'worker' --raw | audit2allow -M my-worker#012# semodule -X 300 -i my-worker.pp#012
......
3. Run `sealert -l 20c5a6eb-9fc7-41d4-89dd-f8d3ca9d928d` based on above message.
......
Raw Audit Messages
type=AVC msg=audit(1724998870.298:44601): avc: denied { sys_rawio } for pid=251558 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c12,c635 tcontext=system_u:system_r:svirt_t:s0:c12,c635 tclass=capability permissive=0
type=SYSCALL msg=audit(1724998870.298:44601): arch=x86_64 syscall=ioctl success=yes exit=0 a0=e a1=2285 a2=56163c722a00 a3=0 items=0 ppid=1 pid=251558 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm=worker exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c12,c635 key=(null)
Hash: worker,svirt_t,svirt_t,capability,sys_rawio
Expected results
No AVC denied
Actual results
Has AVC denied
- links to
- mentioned on