-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
1
-
False
-
-
None
-
None
-
None
-
None
-
None
What were you trying to do that didn't work?
When macTableManager is set to libvirt on the network, start vm with trigger avc denied error
What is the impact of this issue to you?
Please provide the package NVR for which the bug is seen:
libvirt-10.8.0-3.el10.x86_64
qemu-kvm-9.1.0-3.el10.1.x86_64
selinux-policy-40.13.12-2.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
1. Prepare a network with macTableManager is set to libvirt:
# virsh net-dumpxml default <network> <name>default</name> <uuid>3e3fce45-4f53-4fa7-bb32-11f34168b82b</uuid> <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on' delay='0' macTableManager='libvirt'/> <mac address='52:54:00:5f:df:c0'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.128' end='192.168.122.254'/> </dhcp> </ip> </network>
2. start a vm with interface connected to this network:
# ausearch -m avc <no matches> # virsh dumpxml rhel --xpath //interface <interface type="network"> <mac address="52:54:00:23:f2:16"/> <source network="default"/> <model type="virtio"/> <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/> </interface> # virsh start rhel Domain 'rhel' started
3. check the audit log:
---- time->Thu Oct 31 04:25:41 2024 type=PROCTITLE msg=audit(1730363141.187:1130): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1730363141.187:1130): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f1e78031900 a2=201 a3=0 items=0 ppid=1 pid=7000 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1730363141.187:1130): avc: denied { write } for pid=7000 comm="rpc-virtqemud" name="learning" dev="sysfs" ino=69443 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Expected results
There should not be avc denied logs when start vm