Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65266

Hotplug hostdev device will trigger avc denied error

    • No
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Hotplug hostdev device will trigger avc denied error

      Please provide the package NVR for which bug is seen:

      # rpm -q libvirt qemu-kvm selinux-policy
      libvirt-10.8.0-2.el10.x86_64
      qemu-kvm-9.1.0-3.el10.x86_64
      selinux-policy-40.13.12-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Prepare a system with SR-IOV capable network device, and enable iommu in the kernel cmd line, then reboot and enable VFs.

      # echo 4 >  /sys/devices/pci0000:00/0000:00:02.0/0000:04:00.0/sriov_numvfs

      2. Detach one of the VFs from host by
      # virsh nodedev-detach pci_0000_04_10_6
      Device pci_0000_04_10_6 detached

      It will trigger avc denied error:

      time->Wed Oct 30 03:20:17 2024
      type=PROCTITLE msg=audit(1730272817.429:353): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730272817.429:353): arch=c000003e syscall=257 success=yes exit=23 a0=ffffff9c a1=7fe45c003260 a2=201 a3=0 items=0 ppid=1 pid=3363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730272817.429:353): avc:  denied  { write } for  pid=3363 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=58988 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

      3. hotplug the interface to a running guest, it will trigger other avc denied errors

      ----
      time->Wed Oct 30 03:28:14 2024
      type=PROCTITLE msg=audit(1730273294.004:460): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273294.004:460): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=0 a3=7f966cfff4f0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273294.004:460): avc:  denied  { getrlimit } for  pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1
      ----
      time->Wed Oct 30 03:28:14 2024
      type=PROCTITLE msg=audit(1730273294.004:461): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273294.004:461): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=7f966cfff500 a3=0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273294.004:461): avc:  denied  { setrlimit } for  pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1
      

      4. hotunplug the interface, it will trigger other avc denied error:

      ----
      time->Wed Oct 30 03:30:04 2024
      type=PROCTITLE msg=audit(1730273404.110:475): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273404.110:475): arch=c000003e syscall=87 success=yes exit=0 a0=7f966841f730 a1=7f966841f730 a2=0 a3=0 items=0 ppid=3454 pid=4066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273404.110:475): avc:  denied  { unlink } for  pid=4066 comm="rpc-virtqemud" name="69" dev="tmpfs" ino=16 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c70,c572 tclass=chr_file permissive=1
      ----
      time->Wed Oct 30 03:30:04 2024
      type=PROCTITLE msg=audit(1730273404.110:476): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273404.110:476): arch=c000003e syscall=87 success=yes exit=0 a0=7f966841eb30 a1=7f966841eb30 a2=7f966c5851ee a3=0 items=0 ppid=3454 pid=4066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273404.110:476): avc:  denied  { unlink } for  pid=4066 comm="rpc-virtqemud" name="vfio" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1
      ----
      time->Wed Oct 30 03:30:04 2024
      type=PROCTITLE msg=audit(1730273404.112:477): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273404.112:477): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=0 a3=7f966e3ff630 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273404.112:477): avc:  denied  { getrlimit } for  pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1
      ----
      time->Wed Oct 30 03:30:04 2024
      type=PROCTITLE msg=audit(1730273404.112:478): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273404.112:478): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=7f966e3ff640 a3=0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273404.112:478): avc:  denied  { setrlimit } for  pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1
      

      5. Reattach the device to host, it will trigger other avc denied errors

      ----
      time->Wed Oct 30 03:31:45 2024
      type=PROCTITLE msg=audit(1730273505.472:484): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730273505.472:484): arch=c000003e syscall=257 success=yes exit=28 a0=ffffff9c a1=7f9660036740 a2=201 a3=0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730273505.472:484): avc:  denied  { write } for  pid=3454 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=58988 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
      

      Expected results

      There should not be avc denied error during all the operations

      Actual results

      There are avc denied errors during the nodedev attach, reattach, hotplug, unplug of a hostdev interface

              rhn-support-zpytela Zdenek Pytela
              yalzhang@redhat.com Yalan Zhang
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: