Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-69920

SELinux prevents rpc-virtqemud to getsched by `virsh vcpuinfo`

XMLWordPrintable

    • rhel-sst-security-selinux
    • ssg_security
    • 2
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • Automated
    • None

      What were you trying to do that didn't work?

      As subject

      What is the impact of this issue to you?

      AVC denial

      Please provide the package NVR for which the bug is seen:

      kernel-6.12.0-31.el10.x86_64

      libvirt-10.10.0-1.el10.x86_64
      qemu-kvm-9.1.0-7.el10.x86_64
      selinux-policy-40.13.16-1.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1.  Start a domain
      2.  Run `virsh vcpuinfo` for the running domain

       

      (avc_detector)> virsh vcpuinfo rhel-ovmf 
VCPU:           0
CPU:            20
State:          running
CPU time:       17.6s
CPU Affinity:   yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Result: 0 known AVCs and 1 new AVCs got.

       

      1.  
        The avc denial from the last command
      type=AVC msg=audit(1733295215.099:25852): avc:  denied  { getsched } for  pid=761726 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c771,c817 tclass=process permissive=1

      It is not reproduced on RHEL9.6(selinux-policy-38.1.48-1.el9.noarch)

      Expected results

      No avc

      Actual results

      as above

       

              rhn-support-zpytela Zdenek Pytela
              rhn-support-hhan Han Han
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: