-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
No
-
None
-
sst_security_selinux
-
ssg_security
-
1
-
QE ack
-
False
-
-
None
-
None
-
-
None
-
None
-
None
What were you trying to do that didn't work?
AVC denied error when start vm with interface set with "<port isolated='yes'/>"
What is the impact of this issue to you?
Please provide the package NVR for which the bug is seen:
libvirt-10.8.0-3.el10.x86_64
qemu-kvm-9.1.0-3.el10.1.x86_64
selinux-policy-40.13.12-2.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
1. prepare a vm with interface set with "<port isolated='yes'/>", start the vm
# virsh dumpxml rhel --xpath //interface <interface type="network"> <mac address="52:54:00:23:f2:16"/> <source network="default"/> <port isolated="yes"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> </interface> # virsh start rhel Domain 'rhel' started
2. It will trigger avc denied error like as below:
---- time->Thu Oct 31 03:59:59 2024 type=PROCTITLE msg=audit(1730361599.950:867): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730361599.950:867): arch=c000003e syscall=257 success=yes exit=28 a0=ffffff9c a1=7fb99440fb20 a2=201 a3=0 items=0 ppid=1 pid=5711 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730361599.950:867): avc: denied { write } for pid=5711 comm="rpc-virtqemud" name="isolated" dev="sysfs" ino=68444 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Expected results
There should not be avc denied error when start vm