-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
1
-
QE ack
-
False
-
-
None
-
None
-
-
None
-
None
-
None
What were you trying to do that didn't work?
Starting vm with bridge type interface connected to ovs bridge will trigger avc denied error
Please provide the package NVR for which bug is seen:
# rpm -q selinux-policy libvirt openvswitch3.3
selinux-policy-40.13.12-1.el10.noarch
libvirt-10.8.0-3.el10.x86_64
openvswitch3.3-3.3.0-8.el10fdp.x86_64
How reproducible:
100%
Steps to reproduce
1. prepare a vm with bridge type interface which connected to a ovs bridge:
# systemctl start openvswitch
# ovs-vsctl add-br ovsbr0
# ovs-vsctl show
77b8adab-043f-4bd4-9761-615c4b4412f4
Bridge ovsbr0
Port ovsbr0
Interface ovsbr0
type: internal
ovs_version: "3.3.2-8.el10fdp"
# virsh dumpxml rhel --xpath //interface
<interface type="bridge">
<mac address="52:54:00:1b:89:d2"/>
<source bridge="ovsbr0"/>
<virtualport type="openvswitch">
<parameters interfaceid="e463bd02-9f61-4efc-b180-215941b34fca"/>
</virtualport>
<model type="virtio"/>
<address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
</interface>
2. start the vm will trigger the avc denied error:
# virsh start rhel
Domain 'rhel' started
# ausearch -m avc ---- time->Wed Oct 30 09:31:28 2024 type=PROCTITLE msg=audit(1730295088.778:937): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730295088.778:937): arch=c000003e syscall=21 success=yes exit=0 a0=7f818805b689 a1=1 a2=8 a3=7f81880008e0 items=0 ppid=1 pid=11248 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730295088.778:937): avc: denied { execute } for pid=11248 comm="rpc-virtqemud" name="ovs-vsctl" dev="dm-0" ino=67331023 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_exec_t:s0 tclass=file permissive=1 ---- time->Wed Oct 30 09:31:28 2024 type=PROCTITLE msg=audit(1730295088.779:938): proctitle=6F76732D767363746C002D2D74696D656F75743D35002D2D002D2D6D61792D6578697374006164642D706F7274006F767362723000766E657433002D2D0073657400506F727400766E657433006F746865725F636F6E6669673A7472616E7369656E743D74727565002D2D0073657400496E7465726661636500766E657433 type=PATH msg=audit(1730295088.779:938): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=67112307 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1730295088.779:938): cwd="/" type=EXECVE msg=audit(1730295088.779:938): argc=32 a0="ovs-vsctl" a1="--timeout=5" a2="--" a3="--may-exist" a4="add-port" a5="ovsbr0" a6="vnet3" a7="--" a8="set" a9="Port" a10="vnet3" a11="other_config:transient=true" a12="--" a13="set" a14="Interface" a15="vnet3" a16=65787465726E616C2D6964733A61747461636865642D6D61633D2235323A35343A30303A31623A38393A643222 a17="--" a18="set" a19="Interface" a20="vnet3" a21=65787465726E616C2D6964733A69666163652D69643D2265343633626430322D396636312D346566632D623138302D32313539343162333466636122 a22="--" a23="set" a24="Interface" a25="vnet3" a26=65787465726E616C2D6964733A766D2D69643D2231383938363931312D646663302D343633332D383465382D37353637346433616135373522 a27="--" a28="set" a29="Interface" a30="vnet3" a31="external-ids:iface-status=active" type=SYSCALL msg=audit(1730295088.779:938): arch=c000003e syscall=59 success=yes exit=0 a0=7f818803a7c0 a1=7f8188057f30 a2=7ffdca1f3018 a3=7f81880008e0 items=1 ppid=11248 pid=12878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730295088.779:938): avc: denied { map } for pid=12878 comm="ovs-vsctl" path="/usr/bin/ovs-vsctl" dev="dm-0" ino=67331023 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730295088.779:938): avc: denied { execute_no_trans } for pid=12878 comm="rpc-virtqemud" path="/usr/bin/ovs-vsctl" dev="dm-0" ino=67331023 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_exec_t:s0 tclass=file permissive=1 ---- time->Wed Oct 30 09:31:28 2024 type=PROCTITLE msg=audit(1730295088.792:939): proctitle=6F76732D767363746C002D2D74696D656F75743D35002D2D002D2D6D61792D6578697374006164642D706F7274006F767362723000766E657433002D2D0073657400506F727400766E657433006F746865725F636F6E6669673A7472616E7369656E743D74727565002D2D0073657400496E7465726661636500766E657433 type=SYSCALL msg=audit(1730295088.792:939): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fffedc45170 a2=1f a3=0 items=0 ppid=11248 pid=12878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730295088.792:939): avc: denied { connectto } for pid=12878 comm="ovs-vsctl" path="/run/openvswitch/db.sock" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1730295088.792:939): avc: denied { write } for pid=12878 comm="ovs-vsctl" name="db.sock" dev="tmpfs" ino=4652 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_var_run_t:s0 tclass=sock_file permissive=1
Expected results
There should not be avc denied error when start vm
Actual results
Starting vm with bridge type interface connected to ovs bridge will trigger avc denied error