Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65789

SELinux denials appear when starting a VM with NUMA settings

    • No
    • None
    • sst_security_selinux
    • ssg_security
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • None
    • None

      What were you trying to do that didn't work?

      Start a domain with numa settings. Then get AVC denials from audit

      What is the impact of this issue to you?

      Just AVC denials by now

      Please provide the package NVR for which the bug is seen:

      libvirt-10.9.0-1.el9.x86_64
      qemu-kvm-9.1.0-1.el9.x86_64
      selinux-policy-40.13.5-1.el9.noarch

      qemu-kvm-9.1.0-3.el10.1.x86_64
      libvirt-10.9.0-1.el10.x86_64
      selinux-policy-40.13.12-2.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      Start a domain with the XML:

       

      <domain ...>
        <numatune>
          <memory mode='strict' placement='auto'/>
        </numatune>
        <vcpu placement='auto'>12</vcpu>
        <cpu mode='host-model' check='partial'>
          <numa>
            <cell id='0' cpus='0-11' memory='524288' unit='KiB'/>
          </numa>
        </cpu>
      ...
      </domain>
      

      Then check the audit log. Get these AVC msgs:

      type=AVC msg=audit(1730798043.779:27002): avc:  denied  { execute } for  pid=1041433 comm="rpc-virtqemud" name="numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1730798043.779:27002): avc:  denied  { execute_no_trans } for  pid=1041433 comm="rpc-virtqemud" path="/usr/bin/numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1730798043.779:27002): avc:  denied  { map } for  pid=1041433 comm="numad" path="/usr/bin/numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1730798043.782:27003): avc:  denied  { create } for  pid=1041433 comm="numad" ipc_key=-559038737  scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=msgq permissive=1
      type=AVC msg=audit(1730798043.782:27004): avc:  denied  { unix_read } for  pid=1041433 comm="numad" ipc_key=-559038737  scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=msgq permissive=1 

       

      Expected results

      No AVC msgs

      Actual results

      As above

       

              rhn-support-zpytela Zdenek Pytela
              hanhansolo Han Han
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: