Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.1
Affects Version/s: rhel-9.6, rhel-10.0.beta
Component/s: selinux-policy
Labels:
- virt-selinux

Regression:
No
Severity:
None

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Start a domain with numa settings. Then get AVC denials from audit

What is the impact of this issue to you?

Just AVC denials by now

Please provide the package NVR for which the bug is seen:

libvirt-10.9.0-1.el9.x86_64
qemu-kvm-9.1.0-1.el9.x86_64
selinux-policy-40.13.5-1.el9.noarch

—

qemu-kvm-9.1.0-3.el10.1.x86_64
libvirt-10.9.0-1.el10.x86_64
selinux-policy-40.13.12-2.el10.noarch

How reproducible is this bug?:

100%

Steps to reproduce

Start a domain with the XML:

<domain ...>
  <numatune>
    <memory mode='strict' placement='auto'/>
  </numatune>
  <vcpu placement='auto'>12</vcpu>
  <cpu mode='host-model' check='partial'>
    <numa>
      <cell id='0' cpus='0-11' memory='524288' unit='KiB'/>
    </numa>
  </cpu>
...
</domain>

Then check the audit log. Get these AVC msgs:

type=AVC msg=audit(1730798043.779:27002): avc:  denied  { execute } for  pid=1041433 comm="rpc-virtqemud" name="numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1730798043.779:27002): avc:  denied  { execute_no_trans } for  pid=1041433 comm="rpc-virtqemud" path="/usr/bin/numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1730798043.779:27002): avc:  denied  { map } for  pid=1041433 comm="numad" path="/usr/bin/numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1730798043.782:27003): avc:  denied  { create } for  pid=1041433 comm="numad" ipc_key=-559038737  scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=msgq permissive=1
type=AVC msg=audit(1730798043.782:27004): avc:  denied  { unix_read } for  pid=1041433 comm="numad" ipc_key=-559038737  scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=msgq permissive=1

Expected results

No AVC msgs

Actual results

As above

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

domain_xml.zip
3 kB
2024/11/05 9:38 AM

Assignee:: Zdenek Pytela

Reporter:: Han Han

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/11/05 9:29 AM

Updated:: 2024/11/08 9:12 AM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Attachments

Easy Agile Planning Poker

Activity

People

Dates