Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- virt-selinux

Regression:
No
Severity:
None

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

AVC deined error when start vm with multiqueue virtio interface

What is the impact of this issue to you?

VM can start successfully, but there is avc denied error in audit log

Please provide the package NVR for which the bug is seen:

libvirt-10.8.0-3.el10.x86_64
qemu-kvm-9.1.0-3.el10.x86_64
selinux-policy-40.13.12-1.el10.noarch

How reproducible is this bug?:

100%

Steps to reproduce

1. Prepare a vm with multiqueue interface like:

# virsh dumpxml rhel --xpath //interface 
<interface type="network">
  <mac address="52:54:00:ee:01:68"/>
  <source network="default"/>
  <model type="virtio"/>
  <driver queues="4"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>

2. start the vm, vm can start successfully, but there is avc deined error in audit log:

# ausearch -m avc
----
time->Wed Oct 30 23:04:49 2024
type=PROCTITLE msg=audit(1730343889.492:253): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1730343889.492:253): arch=c000003e syscall=16 success=yes exit=0 a0=19 a1=400454ca a2=7effff9ff000 a3=0 items=0 ppid=1 pid=3097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1730343889.492:253): avc:  denied  { relabelto } for  pid=3097 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1
type=AVC msg=audit(1730343889.492:253): avc:  denied  { relabelfrom } for  pid=3097 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=tun_socket permissive=1

Expected results

There should not be avc deined error when start vm with multiqueue interface

Actual results

Assignee:: Zdenek Pytela

Reporter:: Yalan Zhang

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/10/31 3:05 AM

Updated:: 2024/11/08 9:26 AM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates