-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
1
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
start vm with direct type interface will trigger avc denied issue
What is the impact of this issue to you?
Please provide the package NVR for which the bug is seen:
libvirt-10.8.0-3.el10.x86_64
selinux-policy-40.13.12-2.el10.noarch
How reproducible is this bug?
100%
Steps to reproduce
1. prepare a vm with direct type interface like below, and start the vm:
# virsh dumpxml rhel --xpath //interface <interface type="direct"> <mac address="52:54:00:7b:a1:cc"/> <source dev="eno1" mode="bridge"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> </interface> # ausearch -m avc <no matches> # virsh start rhel Domain 'rhel' started
2. check the audit log:
# ausearch -m avc ---- time->Thu Oct 31 03:02:54 2024 type=PROCTITLE msg=audit(1730358174.074:1875): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730358174.074:1875): arch=c000003e syscall=257 success=yes exit=23 a0=ffffff9c a1=7f9364053d20 a2=2 a3=0 items=0 ppid=1 pid=19401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730358174.074:1875): avc: denied { open } for pid=19401 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=868 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1730358174.074:1875): avc: denied { read write } for pid=19401 comm="rpc-virtqemud" name="tap33" dev="devtmpfs" ino=868 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Thu Oct 31 03:02:54 2024 type=PROCTITLE msg=audit(1730358174.074:1876): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730358174.074:1876): arch=c000003e syscall=16 success=yes exit=0 a0=17 a1=800454d2 a2=7f937e9ff080 a3=7f93640008e0 items=0 ppid=1 pid=19401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730358174.074:1876): avc: denied { ioctl } for pid=19401 comm="rpc-virtqemud" path="/dev/tap33" dev="devtmpfs" ino=868 ioctlcmd=0x54d2 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
Expected results
There should not be avc denied issue when starting vm