Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:
- virt-selinux

Regression:
No
Severity:
None
Epic Link:
SELINUX-3594

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
3
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:

Automated

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:
AVC denied when saving vm to another disk on host

Version-Release number of selected component (if applicable):
# rpm -q selinux-policy
selinux-policy-40.13.9-1.el10.noarch

How reproducible:
100%

Steps to Reproduce:
1. Prepare an idle disk on the host sdb;

2. start vm and save the vm to the disk:

# virsh start rhel
Domain 'rhel' started

# virsh save rhel /dev/sdb
Domain 'rhel' saved to /dev/sdb

3. Check the audit log

# ausearch -m avc
----
time->Fri Sep  6 02:16:08 2024
type=PROCTITLE msg=audit(1725603368.186:721):
proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1725603368.186:721): arch=c000003e syscall=137
success=yes exit=0 a0=7f6cbc000de0 a1=7f6cdb1ff170 a2=9 a3=0 items=0
ppid=1 pid=6575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud"
exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0
key=(null)
type=AVC msg=audit(1725603368.186:721): avc:  denied  { getattr } for
pid=6575 comm="rpc-virtqemud" name="/" dev="devtmpfs" ino=1
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
----
time->Fri Sep  6 02:16:08 2024
type=PROCTITLE msg=audit(1725603368.186:722):
proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1725603368.186:722): arch=c000003e syscall=257
success=yes exit=20 a0=ffffff9c a1=7f6cbc008b40 a2=201 a3=0 items=0
ppid=1 pid=6575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud"
exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0
key=(null)
type=AVC msg=audit(1725603368.186:722): avc:  denied  { open } for
pid=6575 comm="rpc-virtqemud" path="/dev/sdb" dev="devtmpfs" ino=934
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
permissive=1
type=AVC msg=audit(1725603368.186:722): avc:  denied  { write } for
pid=6575 comm="rpc-virtqemud" name="sdb" dev="devtmpfs" ino=934
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
permissive=1
----
time->Fri Sep  6 02:16:08 2024
type=PROCTITLE msg=audit(1725603368.400:723):
proctitle=2F7573722F6C6962657865632F6C6962766972745F696F68656C706572002F6465762F7364620031
type=SYSCALL msg=audit(1725603368.400:723): arch=c000003e syscall=1
success=yes exit=1048576 a0=1 a1=7f0fa07c0000 a2=100000 a3=22 items=0
ppid=6575 pid=6914 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirt_iohelpe"
exe="/usr/libexec/libvirt_iohelper"
subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1725603368.400:723): avc:  denied  { write } for
pid=6914 comm="libvirt_iohelpe" path="/dev/sdb" dev="devtmpfs" ino=934
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c437,c720 tclass=blk_file
permissive=1
----
time->Fri Sep  6 02:16:09 2024
type=PROCTITLE msg=audit(1725603369.737:726):
proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1725603369.737:726): arch=c000003e syscall=257
success=yes exit=20 a0=ffffff9c a1=7f6cbc008b40 a2=1 a3=0 items=0
ppid=1 pid=6575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud"
exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0
key=(null)
type=AVC msg=audit(1725603369.737:726): avc:  denied  { open } for
pid=6575 comm="rpc-virtqemud" path="/dev/sdb" dev="devtmpfs" ino=934
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:svirt_image_t:s0:c437,c720 tclass=blk_file
permissive=1

Actual results:
AVC denied when saving vm to another disk on host

Expected results:
There should not be any avc denied error when save vm to another disk

Additional info:

links to

TCMS Test Case 105798

mentioned on

Commit - Merge branch 'test-RHEL-58024' into 'master'

Commit - test if VM can be saved to another disk on host

Assignee:: Zdenek Pytela

Reporter:: Yalan Zhang

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/09/09 7:57 AM

Updated:: 2024/10/23 3:16 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates