Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65761

AVC denials when try to attach/detach a disk from the fs of loop device

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6, rhel-10.0.beta
    • selinux-policy
    • None
    • No
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • noarch
    • None

      What were you trying to do that didn't work?

      As subject

      What is the impact of this issue to you?

      No but AVC denials in audit log

      Please provide the package NVR for which the bug is seen:

      libvirt-10.9.0-1.el10.x86_64
      selinux-policy-40.13.12-2.el10.noarch
      qemu-kvm-9.1.0-3.el10.1.x86_64

      libvirt-10.9.0-1.el9.x86_64
      qemu-kvm-9.1.0-1.el9.x86_64
      selinux-policy-40.13.5-1.el9.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      Prepare a loop device and mount it# qemu-img create -o preallocation=falloc /var/tmp/disk 20G

      1. mkfs.ext4 /var/tmp/disk
      2. mount /var/tmp/disk /mnt/
      3. qemu-img create /mnt/raw 100M
        Prepare a running domain:# virsh list
         Id   Name   State
        ----------------------
         2    rhel   running
        Attach the file on loop device:# virsh attach-disk rhel /mnt/raw vdb
        Disk attached successfully
        Check the AVC denials:type=AVC msg=audit(1730777772.887:26944): avc:  denied  { write } for  pid=1040148 comm="rpc-virtqemud" name="raw" dev="loop0" ino=12 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1
        type=AVC msg=audit(1730777772.887:26945): avc:  denied  { setattr } for  pid=1040148 comm="rpc-virtqemud" name="raw" dev="loop0" ino=12 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1
        type=AVC msg=audit(1730777772.887:26946): avc:  denied  { relabelfrom } for  pid=1040148 comm="rpc-virtqemud" name="raw" dev="loop0" ino=12 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1
        Detach the disk:
      4. virsh detach-disk rhel vdb
        Disk detached successfully
        Check audit log:type=AVC msg=audit(1730777804.049:26954): avc:  denied  { relabelto } for  pid=1040163 comm="rpc-virtqemud" name="raw" dev="loop0" ino=12 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=1

        Expected results

      No AVC denials

      Actual results

      As above

              rhn-support-zpytela Zdenek Pytela
              hanhansolo Han Han
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: