-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.6, rhel-10.0.beta
-
No
-
None
-
sst_security_selinux
-
ssg_security
-
1
-
QE ack
-
False
-
-
None
-
None
-
-
None
-
None
-
None
What were you trying to do that didn't work?
Start a domain with numa settings. Then get AVC denials from audit
What is the impact of this issue to you?
Just AVC denials by now
Please provide the package NVR for which the bug is seen:
libvirt-10.9.0-1.el9.x86_64
qemu-kvm-9.1.0-1.el9.x86_64
selinux-policy-40.13.5-1.el9.noarch
—
qemu-kvm-9.1.0-3.el10.1.x86_64
libvirt-10.9.0-1.el10.x86_64
selinux-policy-40.13.12-2.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
Start a domain with the XML:
<domain ...> <numatune> <memory mode='strict' placement='auto'/> </numatune> <vcpu placement='auto'>12</vcpu> <cpu mode='host-model' check='partial'> <numa> <cell id='0' cpus='0-11' memory='524288' unit='KiB'/> </numa> </cpu> ... </domain>
Then check the audit log. Get these AVC msgs:
type=AVC msg=audit(1730798043.779:27002): avc: denied { execute } for pid=1041433 comm="rpc-virtqemud" name="numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730798043.779:27002): avc: denied { execute_no_trans } for pid=1041433 comm="rpc-virtqemud" path="/usr/bin/numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730798043.779:27002): avc: denied { map } for pid=1041433 comm="numad" path="/usr/bin/numad" dev="vda4" ino=1646 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:numad_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1730798043.782:27003): avc: denied { create } for pid=1041433 comm="numad" ipc_key=-559038737 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=msgq permissive=1 type=AVC msg=audit(1730798043.782:27004): avc: denied { unix_read } for pid=1041433 comm="numad" ipc_key=-559038737 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtqemud_t:s0 tclass=msgq permissive=1
Expected results
No AVC msgs
Actual results
As above