Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65322

Start vm with bridge type interface connected to ovs bridge triggers avc denied error

    • No
    • None
    • sst_security_selinux
    • ssg_security
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Starting vm with bridge type interface connected to ovs bridge will trigger avc denied error

      Please provide the package NVR for which bug is seen:

      # rpm -q selinux-policy libvirt openvswitch3.3
      selinux-policy-40.13.12-1.el10.noarch
      libvirt-10.8.0-3.el10.x86_64
      openvswitch3.3-3.3.0-8.el10fdp.x86_64

      How reproducible:

      100%

      Steps to reproduce

      1. prepare a vm with bridge type interface which connected to a ovs bridge:

      # systemctl start openvswitch
      # ovs-vsctl add-br ovsbr0
      # ovs-vsctl show
      77b8adab-043f-4bd4-9761-615c4b4412f4
          Bridge ovsbr0
              Port ovsbr0
                  Interface ovsbr0
                      type: internal
          ovs_version: "3.3.2-8.el10fdp"
      
      # virsh dumpxml rhel --xpath //interface
      <interface type="bridge">
        <mac address="52:54:00:1b:89:d2"/>
        <source bridge="ovsbr0"/>
        <virtualport type="openvswitch">
          <parameters interfaceid="e463bd02-9f61-4efc-b180-215941b34fca"/>
        </virtualport>
        <model type="virtio"/>
        <address type="pci" domain="0x0000" bus="0x03" slot="0x00" function="0x0"/>
      </interface>
      

      2. start the vm will trigger the avc denied error:
      # virsh start rhel
      Domain 'rhel' started

      # ausearch -m avc
      ----
      time->Wed Oct 30 09:31:28 2024
      type=PROCTITLE msg=audit(1730295088.778:937): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730295088.778:937): arch=c000003e syscall=21 success=yes exit=0 a0=7f818805b689 a1=1 a2=8 a3=7f81880008e0 items=0 ppid=1 pid=11248 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730295088.778:937): avc:  denied  { execute } for  pid=11248 comm="rpc-virtqemud" name="ovs-vsctl" dev="dm-0" ino=67331023 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_exec_t:s0 tclass=file permissive=1
      ----
      time->Wed Oct 30 09:31:28 2024
      type=PROCTITLE msg=audit(1730295088.779:938): proctitle=6F76732D767363746C002D2D74696D656F75743D35002D2D002D2D6D61792D6578697374006164642D706F7274006F767362723000766E657433002D2D0073657400506F727400766E657433006F746865725F636F6E6669673A7472616E7369656E743D74727565002D2D0073657400496E7465726661636500766E657433
      type=PATH msg=audit(1730295088.779:938): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=67112307 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
      type=CWD msg=audit(1730295088.779:938): cwd="/"
      type=EXECVE msg=audit(1730295088.779:938): argc=32 a0="ovs-vsctl" a1="--timeout=5" a2="--" a3="--may-exist" a4="add-port" a5="ovsbr0" a6="vnet3" a7="--" a8="set" a9="Port" a10="vnet3" a11="other_config:transient=true" a12="--" a13="set" a14="Interface" a15="vnet3" a16=65787465726E616C2D6964733A61747461636865642D6D61633D2235323A35343A30303A31623A38393A643222 a17="--" a18="set" a19="Interface" a20="vnet3" a21=65787465726E616C2D6964733A69666163652D69643D2265343633626430322D396636312D346566632D623138302D32313539343162333466636122 a22="--" a23="set" a24="Interface" a25="vnet3" a26=65787465726E616C2D6964733A766D2D69643D2231383938363931312D646663302D343633332D383465382D37353637346433616135373522 a27="--" a28="set" a29="Interface" a30="vnet3" a31="external-ids:iface-status=active"
      type=SYSCALL msg=audit(1730295088.779:938): arch=c000003e syscall=59 success=yes exit=0 a0=7f818803a7c0 a1=7f8188057f30 a2=7ffdca1f3018 a3=7f81880008e0 items=1 ppid=11248 pid=12878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730295088.779:938): avc:  denied  { map } for  pid=12878 comm="ovs-vsctl" path="/usr/bin/ovs-vsctl" dev="dm-0" ino=67331023 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1730295088.779:938): avc:  denied  { execute_no_trans } for  pid=12878 comm="rpc-virtqemud" path="/usr/bin/ovs-vsctl" dev="dm-0" ino=67331023 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_exec_t:s0 tclass=file permissive=1
      ----
      time->Wed Oct 30 09:31:28 2024
      type=PROCTITLE msg=audit(1730295088.792:939): proctitle=6F76732D767363746C002D2D74696D656F75743D35002D2D002D2D6D61792D6578697374006164642D706F7274006F767362723000766E657433002D2D0073657400506F727400766E657433006F746865725F636F6E6669673A7472616E7369656E743D74727565002D2D0073657400496E7465726661636500766E657433
      type=SYSCALL msg=audit(1730295088.792:939): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7fffedc45170 a2=1f a3=0 items=0 ppid=11248 pid=12878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ovs-vsctl" exe="/usr/bin/ovs-vsctl" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730295088.792:939): avc:  denied  { connectto } for  pid=12878 comm="ovs-vsctl" path="/run/openvswitch/db.sock" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=unix_stream_socket permissive=1
      type=AVC msg=audit(1730295088.792:939): avc:  denied  { write } for  pid=12878 comm="ovs-vsctl" name="db.sock" dev="tmpfs" ino=4652 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:openvswitch_var_run_t:s0 tclass=sock_file permissive=1
      

      Expected results

      There should not be avc denied error when start vm

      Actual results

      Starting vm with bridge type interface connected to ovs bridge will trigger avc denied error

              rhn-support-zpytela Zdenek Pytela
              yalzhang@redhat.com Yalan Zhang
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: