Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65385

AVC denied error when macTableManager is set to libvirt in network's setting

    • No
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 1
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      When macTableManager is set to libvirt on the network, start vm with trigger avc denied error

      What is the impact of this issue to you?

      Please provide the package NVR for which the bug is seen:

      libvirt-10.8.0-3.el10.x86_64
      qemu-kvm-9.1.0-3.el10.1.x86_64
      selinux-policy-40.13.12-2.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Prepare a network with macTableManager is set to libvirt:

      # virsh net-dumpxml default 
      <network>
        <name>default</name>
        <uuid>3e3fce45-4f53-4fa7-bb32-11f34168b82b</uuid>
        <forward mode='nat'>
          <nat>
            <port start='1024' end='65535'/>
          </nat>
        </forward>
        <bridge name='virbr0' stp='on' delay='0' macTableManager='libvirt'/>
        <mac address='52:54:00:5f:df:c0'/>
        <ip address='192.168.122.1' netmask='255.255.255.0'>
          <dhcp>
            <range start='192.168.122.128' end='192.168.122.254'/>
          </dhcp>
        </ip>
      </network>
      

      2. start a vm with interface connected to this network:

      # ausearch -m avc
      <no matches>
      
      # virsh dumpxml rhel --xpath //interface 
      <interface type="network">
        <mac address="52:54:00:23:f2:16"/>
        <source network="default"/>
        <model type="virtio"/>
        <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
      </interface>
      
      # virsh start rhel 
      Domain 'rhel' started
      

      3. check the audit log:

      ----
      time->Thu Oct 31 04:25:41 2024
      type=PROCTITLE msg=audit(1730363141.187:1130): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
      type=SYSCALL msg=audit(1730363141.187:1130): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f1e78031900 a2=201 a3=0 items=0 ppid=1 pid=7000 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
      type=AVC msg=audit(1730363141.187:1130): avc:  denied  { write } for  pid=7000 comm="rpc-virtqemud" name="learning" dev="sysfs" ino=69443 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
      

      Expected results

      There should not be avc denied logs when start vm

      Actual results

              rhn-support-zpytela Zdenek Pytela
              yalzhang@redhat.com Yalan Zhang
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: