Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65038

Hotplug memory device will trigger AVC denied error

    • Yes
    • None
    • sst_security_selinux
    • ssg_security
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Hotplug memory device will trigger AVC denied error

      Please provide the package NVR for which bug is seen:

      # rpm -q libvirt qemu-kvm selinux-policy
      libvirt-10.8.0-2.el10.x86_64
      qemu-kvm-9.1.0-3.el10.x86_64
      selinux-policy-40.13.12-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. start vm with maxMemory and numanode configured:

      # virsh dumpxml rhel
      ... 
      <maxMemory slots='16' unit='KiB'>8388608</maxMemory>
        <memory unit='KiB'>2097152</memory>
        <currentMemory unit='KiB'>2097152</currentMemory>
      ...  
      <cpu mode='host-passthrough' check='none' migratable='on'>
          <numa>
            <cell id='0' cpus='0-7' memory='2097152' unit='KiB'/>
          </numa>
        </cpu>
      .....
      # virsh start rhel 
      Domain 'rhel' started
      

      2. After VM boot successfully, hotplug a memory device:

      # cat dimm.xml
      <memory model='dimm' access='private' discard='yes'>
          <target>
            <size unit='KiB'>524287</size>
            <node>0</node>
          </target>
        </memory># virsh attach-device rhel dimm.xml
      Device attached successfully
      

      3. Check the audit logs, there is avc denied error:

      time->Mon Oct 28 09:29:36 2024
      type=PROCTITLE msg=audit(1730122176.355:1414): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730122176.355:1414): arch=c000003e syscall=302 success=yes exit=0 a0=36a3 a1=8 a2=0 a3=7f96303ff660 items=0 ppid=1 pid=13420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730122176.355:1414): avc:  denied  { getrlimit } for  pid=13420 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c200,c980 tclass=process permissive=1
      

      Expected results

      There should not be AVC denied error when hotplug memory

      Actual results

      There is AVC denied error when hotplug memory

              rhn-support-zpytela Zdenek Pytela
              yalzhang@redhat.com Yalan Zhang
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: