-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
1
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
Hotplug hostdev device will trigger avc denied error
Please provide the package NVR for which bug is seen:
# rpm -q libvirt qemu-kvm selinux-policy
libvirt-10.8.0-2.el10.x86_64
qemu-kvm-9.1.0-3.el10.x86_64
selinux-policy-40.13.12-1.el10.noarch
How reproducible:
100%
Steps to reproduce
1. Prepare a system with SR-IOV capable network device, and enable iommu in the kernel cmd line, then reboot and enable VFs.
# echo 4 > /sys/devices/pci0000:00/0000:00:02.0/0000:04:00.0/sriov_numvfs
2. Detach one of the VFs from host by
# virsh nodedev-detach pci_0000_04_10_6
Device pci_0000_04_10_6 detached
It will trigger avc denied error:
time->Wed Oct 30 03:20:17 2024 type=PROCTITLE msg=audit(1730272817.429:353): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730272817.429:353): arch=c000003e syscall=257 success=yes exit=23 a0=ffffff9c a1=7fe45c003260 a2=201 a3=0 items=0 ppid=1 pid=3363 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730272817.429:353): avc: denied { write } for pid=3363 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=58988 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
3. hotplug the interface to a running guest, it will trigger other avc denied errors
---- time->Wed Oct 30 03:28:14 2024 type=PROCTITLE msg=audit(1730273294.004:460): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273294.004:460): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=0 a3=7f966cfff4f0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273294.004:460): avc: denied { getrlimit } for pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1 ---- time->Wed Oct 30 03:28:14 2024 type=PROCTITLE msg=audit(1730273294.004:461): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273294.004:461): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=7f966cfff500 a3=0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273294.004:461): avc: denied { setrlimit } for pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1
4. hotunplug the interface, it will trigger other avc denied error:
---- time->Wed Oct 30 03:30:04 2024 type=PROCTITLE msg=audit(1730273404.110:475): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273404.110:475): arch=c000003e syscall=87 success=yes exit=0 a0=7f966841f730 a1=7f966841f730 a2=0 a3=0 items=0 ppid=3454 pid=4066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273404.110:475): avc: denied { unlink } for pid=4066 comm="rpc-virtqemud" name="69" dev="tmpfs" ino=16 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c70,c572 tclass=chr_file permissive=1 ---- time->Wed Oct 30 03:30:04 2024 type=PROCTITLE msg=audit(1730273404.110:476): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273404.110:476): arch=c000003e syscall=87 success=yes exit=0 a0=7f966841eb30 a1=7f966841eb30 a2=7f966c5851ee a3=0 items=0 ppid=3454 pid=4066 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273404.110:476): avc: denied { unlink } for pid=4066 comm="rpc-virtqemud" name="vfio" dev="tmpfs" ino=15 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1 ---- time->Wed Oct 30 03:30:04 2024 type=PROCTITLE msg=audit(1730273404.112:477): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273404.112:477): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=0 a3=7f966e3ff630 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273404.112:477): avc: denied { getrlimit } for pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1 ---- time->Wed Oct 30 03:30:04 2024 type=PROCTITLE msg=audit(1730273404.112:478): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273404.112:478): arch=c000003e syscall=302 success=yes exit=0 a0=e50 a1=8 a2=7f966e3ff640 a3=0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273404.112:478): avc: denied { setrlimit } for pid=3454 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c70,c572 tclass=process permissive=1
5. Reattach the device to host, it will trigger other avc denied errors
---- time->Wed Oct 30 03:31:45 2024 type=PROCTITLE msg=audit(1730273505.472:484): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730273505.472:484): arch=c000003e syscall=257 success=yes exit=28 a0=ffffff9c a1=7f9660036740 a2=201 a3=0 items=0 ppid=1 pid=3454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730273505.472:484): avc: denied { write } for pid=3454 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=58988 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Expected results
There should not be avc denied error during all the operations
Actual results
There are avc denied errors during the nodedev attach, reattach, hotplug, unplug of a hostdev interface