[RHEL-69433] AVC denials happen when revert a snapshot with virtlockd running - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.6
Component/s: selinux-policy
Labels:
- virt-selinux

Fixed in Build:
selinux-policy-38.1.49-1.el9
Regression:
No
Severity:
Critical
Epic Link:
SELINUX-3594
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
17
Story Points:
2
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 241127 - 241218

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139849
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

As subject

What is the impact of this issue to you?

AVC denial msgs

Please provide the package NVR for which the bug is seen:

selinux-policy-38.1.48-1.el9.noarch

libvirt-10.9.0-1.el9.x86_64

qemu-kvm-9.1.0-5.el9.x86_64

How reproducible is this bug?:

100%

Steps to reproduce

Prepare virtlockd
For /etc/libvirt/qemu.conf, set it as

lock_manager = "lockd"

For /etc/libvirt/qemu-lockd.conf, set it as

auto_disk_leases = 1
require_lease_for_disks = 1
file_lockspace_dir = "/var/lib/libvirt/lockd/files"

Then restart virtqemud and virtlockd

Start a domain
Create the snapshot and revert the snapshot

> virsh snapshot-create-as RHEL s1 --memspec /var/lib/libvirt/images/RHEL_mem.s1
        Domain snapshot s1 created
> virsh snapshot-revert RHEL s1                                                 
Domain snapshot s1 reverted

One AVC denial happens when reverting the snapshot:

type=AVC msg=audit(1732785595.568:8090): avc:  denied  { kill } for  pid=323799 comm="virtlockd" capability=5  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability permissive=0

Set SELinux to permissive then revert the snapshot. Get 2 AVC denials

type=AVC msg=audit(1732785728.355:8124): avc:  denied  { signal } for  pid=323799 comm="virtlockd" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:svirt_t:s0:c698,c836 tclass=process permissive=1
type=AVC msg=audit(1732785728.355:8124): avc:  denied  { kill } for  pid=323799 comm="virtlockd" capability=5  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability permissive=1

Expected results

No AVC denials

Actual results

links to

github pr

RHBA-2024:139849 selinux-policy bug fix and enhancement update

TCMS Test Case 202176

Assignee:: Zdenek Pytela

Reporter:: Han Han

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/11/28 9:22 AM

Updated:: 2025/04/02 6:03 AM

Target end:: 2024/12/16

Next Planned Release Date:: 2025/05/13

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide