Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-69118

[rhel-10] SELinux prevents the rpc-virtqemud from starting a VM which uses nbdkit

    • rhel-sst-security-selinux
    • ssg_security
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • Automated
    • None

      What were you trying to do that didn't work?

      In https://issues.redhat.com/browse/RHEL-7384 test we need to start guest with https/ssh network disk by spawning an nbdkit daemon. But it will get Permission denied for nbdkit. The related blocked bug https://issues.redhat.com/browse/RHEL-5174 has created a selinux policy for nbdkit but still can't resolve it. So maybe we need to have a permission that libvirt can access.

      Please provide the package NVR for which bug is seen:

      libvirt-10.9.0-1.el10.x86_64
      nbdkit-1.40.4-2.el10.x86_64
      qemu-kvm-9.1.0-3.el10.1.x86_64
      selinux-policy-40.13.13-1.el10.noarch

      How reproducible:

      100%

      Steps to reproduce

      1. Enable nbdkit to access remote disk source.
      # vim /etc/libvirt/qemu.conf
      storage_use_nbdkit = 1
      # systemctl restart virtqemud

      2. Prepare a guest with ssh disk xml.

      # virsh dumpxml rhel --inactive --xpath //disk
      ......
      <disk type="network" device="disk">
        <driver name="qemu" type="raw"/>
        <source protocol="ssh" name="/var/lib/libvirt/images/test.img">
          <host name="10.73.210.25" port="22"/>
          <knownHosts path="/tmp/known_hosts"/>
          <identity username="root" keyfile="/tmp/id_rsa"/>
        </source>
        <target dev="vdb" bus="virtio"/>
        <address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
      </disk> 

      3. Start the guest in enforcing mode.
      # getenforce 
      Enforcing
      # virsh start rhel
      error: Failed to start domain 'rhel'
      error: operation failed: Failed to connect to nbdkit for 'ssh://10.73.210.25:22/var/lib/libvirt/images/test.img': libvirt:  error : cannot execute binary /usr/sbin/nbdkit: Permission denied

      Expected results

      The guest can start successfully.

      Actual results

      The guest starts failed.

      Additional info

      Output from ausearch -m avc -i -ts recent | audit2allow

      allow virtqemud_t nbdkit_exec_t:file { entrypoint execute execute_no_trans };
      allow virtqemud_t nbdkit_exec_t:file map;
      allow virtqemud_t self:process transition;
      allow virtqemud_t ssh_port_t:tcp_socket name_connect;
      

              rhn-support-zpytela Zdenek Pytela
              rhn-support-meili Meina Li
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: