-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
No
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
1
-
QE ack
-
False
-
-
None
-
None
-
-
None
-
Automated
-
None
What were you trying to do that didn't work?
In https://issues.redhat.com/browse/RHEL-7384 test we need to start guest with https/ssh network disk by spawning an nbdkit daemon. But it will get Permission denied for nbdkit. The related blocked bug https://issues.redhat.com/browse/RHEL-5174 has created a selinux policy for nbdkit but still can't resolve it. So maybe we need to have a permission that libvirt can access.
Please provide the package NVR for which bug is seen:
libvirt-10.9.0-1.el10.x86_64
nbdkit-1.40.4-2.el10.x86_64
qemu-kvm-9.1.0-3.el10.1.x86_64
selinux-policy-40.13.13-1.el10.noarch
How reproducible:
100%
Steps to reproduce
1. Enable nbdkit to access remote disk source.
# vim /etc/libvirt/qemu.conf
storage_use_nbdkit = 1
# systemctl restart virtqemud
2. Prepare a guest with ssh disk xml.
# virsh dumpxml rhel --inactive --xpath //disk ...... <disk type="network" device="disk"> <driver name="qemu" type="raw"/> <source protocol="ssh" name="/var/lib/libvirt/images/test.img"> <host name="10.73.210.25" port="22"/> <knownHosts path="/tmp/known_hosts"/> <identity username="root" keyfile="/tmp/id_rsa"/> </source> <target dev="vdb" bus="virtio"/> <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/> </disk>
3. Start the guest in enforcing mode.
# getenforce
Enforcing
# virsh start rhel
error: Failed to start domain 'rhel'
error: operation failed: Failed to connect to nbdkit for 'ssh://10.73.210.25:22/var/lib/libvirt/images/test.img': libvirt: error : cannot execute binary /usr/sbin/nbdkit: Permission denied
Expected results
The guest can start successfully.
Actual results
The guest starts failed.
Additional info
Output from ausearch -m avc -i -ts recent | audit2allow
allow virtqemud_t nbdkit_exec_t:file { entrypoint execute execute_no_trans }; allow virtqemud_t nbdkit_exec_t:file map; allow virtqemud_t self:process transition; allow virtqemud_t ssh_port_t:tcp_socket name_connect;
- clones
-
RHEL-56029 [rhel-9] SELinux prevents the rpc-virtqemud from starting a VM which uses nbdkit
- Planning