Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65380

start vm with direct type interface will trigger avc denied issue

    • No
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      start vm with direct type interface will trigger avc denied issue

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      libvirt-10.8.0-3.el10.x86_64
      selinux-policy-40.13.12-2.el10.noarch

      How reproducible is this bug?

      100%

      Steps to reproduce

      1. prepare a vm with direct type interface like below, and start the vm:

      # virsh dumpxml rhel --xpath //interface 
      <interface type="direct">
        <mac address="52:54:00:7b:a1:cc"/>
        <source dev="eno1" mode="bridge"/>
        <model type="virtio"/>
        <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
      </interface>
      
      # ausearch -m avc
      <no matches>
      
      # virsh start rhel 
      Domain 'rhel' started
      

      2. check the audit log:

      # ausearch -m avc
      ----
      time->Thu Oct 31 03:02:54 2024
      type=PROCTITLE msg=audit(1730358174.074:1875): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730358174.074:1875): arch=c000003e syscall=257 success=yes exit=23 a0=ffffff9c a1=7f9364053d20 a2=2 a3=0 items=0 ppid=1 pid=19401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730358174.074:1875): avc:  denied  { open } for  pid=19401 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=868 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
      type=AVC msg=audit(1730358174.074:1875): avc:  denied  { read write } for  pid=19401 comm="rpc-virtqemud" name="tap33" dev="devtmpfs" ino=868 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
      ----
      time->Thu Oct 31 03:02:54 2024
      type=PROCTITLE msg=audit(1730358174.074:1876): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730358174.074:1876): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=800454d2 a2=7f937e9ff080 a3=7f93640008e0 items=0 ppid=1 pid=19401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730358174.074:1876): avc:  denied  { ioctl } for  pid=19401 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=868 ioctlcmd=0x54d2 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
      

      Expected results

      There should not be avc denied issue when starting vm

      Actual results

              rhn-support-zpytela Zdenek Pytela
              yalzhang@redhat.com Yalan Zhang
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: