Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- virt-selinux

Regression:
Yes
Severity:
None

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Hotplug memory device will trigger AVC denied error

Please provide the package NVR for which bug is seen:

# rpm -q libvirt qemu-kvm selinux-policy
libvirt-10.8.0-2.el10.x86_64
qemu-kvm-9.1.0-3.el10.x86_64
selinux-policy-40.13.12-1.el10.noarch

How reproducible:

100%

Steps to reproduce

1. start vm with maxMemory and numanode configured:

# virsh dumpxml rhel
... 
<maxMemory slots='16' unit='KiB'>8388608</maxMemory>
  <memory unit='KiB'>2097152</memory>
  <currentMemory unit='KiB'>2097152</currentMemory>
...  
<cpu mode='host-passthrough' check='none' migratable='on'>
    <numa>
      <cell id='0' cpus='0-7' memory='2097152' unit='KiB'/>
    </numa>
  </cpu>
.....
# virsh start rhel 
Domain 'rhel' started

2. After VM boot successfully, hotplug a memory device:

# cat dimm.xml
<memory model='dimm' access='private' discard='yes'>
    <target>
      <size unit='KiB'>524287</size>
      <node>0</node>
    </target>
  </memory># virsh attach-device rhel dimm.xml
Device attached successfully

3. Check the audit logs, there is avc denied error:

time->Mon Oct 28 09:29:36 2024
type=PROCTITLE msg=audit(1730122176.355:1414): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1730122176.355:1414): arch=c000003e syscall=302 success=yes exit=0 a0=36a3 a1=8 a2=0 a3=7f96303ff660 items=0 ppid=1 pid=13420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1730122176.355:1414): avc:  denied  { getrlimit } for  pid=13420 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c200,c980 tclass=process permissive=1

Expected results

There should not be AVC denied error when hotplug memory

Actual results

There is AVC denied error when hotplug memory

Assignee:: Zdenek Pytela

Reporter:: Yalan Zhang

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/10/28 1:48 PM

Updated:: 2024/11/08 9:35 AM

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates