Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- virt-selinux

Regression:
No
Severity:
None

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

start vm with direct type interface will trigger avc denied issue

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

libvirt-10.8.0-3.el10.x86_64
selinux-policy-40.13.12-2.el10.noarch

How reproducible is this bug?

100%

Steps to reproduce

1. prepare a vm with direct type interface like below, and start the vm:

# virsh dumpxml rhel --xpath //interface 
<interface type="direct">
  <mac address="52:54:00:7b:a1:cc"/>
  <source dev="eno1" mode="bridge"/>
  <model type="virtio"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>

# ausearch -m avc
<no matches>

# virsh start rhel 
Domain 'rhel' started

2. check the audit log:

# ausearch -m avc
----
time->Thu Oct 31 03:02:54 2024
type=PROCTITLE msg=audit(1730358174.074:1875): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1730358174.074:1875): arch=c000003e syscall=257 success=yes exit=23 a0=ffffff9c a1=7f9364053d20 a2=2 a3=0 items=0 ppid=1 pid=19401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1730358174.074:1875): avc:  denied  { open } for  pid=19401 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=868 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1730358174.074:1875): avc:  denied  { read write } for  pid=19401 comm="rpc-virtqemud" name="tap33" dev="devtmpfs" ino=868 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Thu Oct 31 03:02:54 2024
type=PROCTITLE msg=audit(1730358174.074:1876): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1730358174.074:1876): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=800454d2 a2=7f937e9ff080 a3=7f93640008e0 items=0 ppid=1 pid=19401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1730358174.074:1876): avc:  denied  { ioctl } for  pid=19401 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=868 ioctlcmd=0x54d2 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1

Expected results

There should not be avc denied issue when starting vm

Actual results

Assignee:: Zdenek Pytela

Reporter:: Yalan Zhang

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/10/31 7:04 AM

Updated:: 2024/11/08 6:30 PM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates