[RHEL-68723] [RHEL-10.0] avc: denied { ioctl } for pid=13510 comm="qemu-kvm" path="/dev/sev" dev="devtmpfs" - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- virt-selinux

Fixed in Build:
selinux-policy-40.13.21-1.el10
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
23
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250129: 1

Acceptance Criteria:

Hide

SELinux policy defines an allow rule which enables the access which is shown in the AVC.

Show
SELinux policy defines an allow rule which enables the access which is shown in the AVC.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/140162
Test Coverage:

Manual

Release Note Type:
Release Note Not Required

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
selinux-policy-40.13.13-1.el10.noarch

time->Fri Nov 22 02:06:14 2024
type=PROCTITLE msg=audit(1732259174.518:898): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D53002D6E6F2D757365722D636F6E666967002D6E6F64656661756C7473002D6E6F67726170686963002D6D616368696E65006E6F6E652C616363656C3D6B766D3A746367002D716D7000756E69783A2F7661722F6C69622F6C6962766972742F71656D752F716D702D
type=SYSCALL msg=audit(1732259174.518:898): arch=c000003e syscall=16 success=no exit=-5 a0=f a1=c0105300 a2=7f717a55df30 a3=55b207dc1010 items=0 ppid=1 pid=13510 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1732259174.518:898): avc: denied { ioctl } for pid=13510 comm="qemu-kvm" path="/dev/sev" dev="devtmpfs" ino=389 ioctlcmd=0x5300 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sev_device_t:s0 tclass=chr_file permissive=1

Please provide the package NVR for which the bug is seen:

kernel-6.12.0-30.el10

selinux-policy-40.13.13-1.el10.noarch

How reproducible is this bug?:

many times

Expected results

No AVC deny

Actual results

AVC deny

Additional info:
Beaker jobs:

https://beaker.engineering.redhat.com/jobs/10238650

https://beaker-archive.prod.engineering.redhat.com/beaker-logs/2024/11/102386/10238650/17540669/187268650/873559742/avc.log

https://beaker.engineering.redhat.com/jobs/10237097

https://beaker-archive.prod.engineering.redhat.com/beaker-logs/2024/11/102370/10237097/17538631/187257474/873506362/avc.log

links to

RHBA-2024:140162 selinux-policy bug fix and enhancement update

Assignee:: Zdenek Pytela

Reporter:: Zhi Li

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/11/25 7:15 AM

Updated:: 2025/04/08 11:35 AM

Target end:: 2025/01/27

Next Planned Release Date:: 2025/05/13

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates