[RHEL-70839] SELinux prevents to access /sys for other devices when virt_use_usb is off - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.6, rhel-10.0
Component/s: selinux-policy
Labels:
- virt-selinux

Fixed in Build:
selinux-policy-38.1.51-1.el9
Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
22
Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250129: 1

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139849
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

As subject. See also: https://bugzilla.redhat.com/show_bug.cgi?id=2330756#c3

What is the impact of this issue to you?

AVC denial msgs

Please provide the package NVR for which the bug is seen:

For RHEL9:

selinux-policy-38.1.49-1.el9.noarch
libvirt-10.10.0-1.el9.x86_64
qemu-kvm-9.1.0-6.el9.x86_64

For RHEL 10:

selinux-policy-40.13.13-1.el10.noarch
libvirt-10.10.0-1.el10.x86_64
qemu-kvm-9.1.0-7.el10.x86_64

How reproducible is this bug?:

100%

Steps to reproduce

First set virt_use_usb off: setsebool virt_use_usb 1
Start a domain without usb hostdev. (Deploy the avc_detector( https://gist.github.com/qiankehan/a8b43e02aa7aaad7c02862cc5564b811 ) first to get the AVC report immediately).
Domain XML: win11.xml

(avc_detector)> virsh start win11  
Domain 'win11' startedResult: 0 known AVCs and 1 new AVCs got.                                                                                                                                                                           
============================================================
See the logs at /tmp/tmp.bZa3deEI32
(avc_detector)> cat /tmp/tmp.bZa3deEI32
!!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
Search string:  getattr  comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0 tcontext=system_u:object_r:sysfs_t:s0  tclass=file 
Details: type=AVC msg=audit(1733887583.993:11901): avc:  denied  { getattr } for  pid=562338 comm="qemu-kvm" path="/sys/devices/platform/e820_pmem/ndbus0/region0/uevent" dev="sysfs" ino=48165 scontext=system_u:system_r:svirt_t:s0:c508,c727 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Result: 0 known AVCs and 1 new AVCs got.
============================================================

The RHEL10 example: gls.xml

(.libvirt-ci-venv-ci-runtest-IFOo0G) (avc_detector)> cat /tmp/tmp.KfIlhr2knP
-------------------- Get a Known AVC --------------------
Search string:  relabelfrom  comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lib_t:s0  tclass=file 
Details: type=AVC msg=audit(1733887676.540:19297): avc:  denied  { relabelfrom } for  pid=299843 comm="rpc-virtqemud" name="gl.qcow2" dev="dm-0" ino=202283292 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Known Jira issues:
TYPE    KEY             SUMMARY                                                                                                 STATUS
Bug     RHEL-56725      The error message is misleading when swtpm can't open log file                                          Planning
Bug     RHEL-54064      Failed to start a vm with tpm and none type seclabel                                                    Planning
Bug     RHEL-53967      VM can not start with fresh image with selinux enabled                                                  Release Pending
Bug     RHEL-49763      SELinux denials appear during libguestfs-test-tool run                                                  Release Pending
Bug     RHEL-48236      fail to start vm with encrypted tpm-emulator in rhel10                                                  Planning
Bug     RHEL-46893      selinux-policy-40.13.4-1.el10.noarch breaks libvirt-dbus and libvirt                                    Release Pending
Bug     RHEL-44639      AVC denied when hotplugging scsi lun to vm                                                              Planning
Bug     RHEL-44312      ⦗rhel10⦘Guest crashed with the interface which having multiqueues setting  sinic avc denied error       Release Pending
Bug     RHEL-40350      fail to start vm with encrypted tpm-emulator in rhel10                                                  Release Pending
Bug     RHEL-40090      qemu-kvm crashed when starting guest with vhost interface and queues setting                            Release Pending
Bug     RHEL-39669      avc denied error when start vm with image located under /var/lib/avocado/                               Planning
Bug     RHEL-39668      ⦗rhel-10⦘ There are avc denied errors in audit log about tpm device                                     Planning
!!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
Search string:  read  comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0 tcontext=system_u:object_r:sysfs_t:s0  tclass=file 
Details: type=AVC msg=audit(1733887676.552:19298): avc:  denied  { read } for  pid=299830 comm="qemu-kvm" name="possible" dev="sysfs" ino=1281 scontext=system_u:system_r:svirt_t:s0:c660,c793 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
!!!!!!!!!!!!!!!!!!!! Get a NEW AVC !!!!!!!!!!!!!!!!!!!!
Search string:  read  comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0 tcontext=system_u:object_r:sysfs_t:s0  tclass=file 
Details: type=AVC msg=audit(1733887676.567:19299): avc:  denied  { read } for  pid=299830 comm="qemu-kvm" name="max_mem_regions" dev="sysfs" ino=62965 scontext=system_u:system_r:svirt_t:s0:c660,c793 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
Result: 1 known AVCs and 2 new AVCs got.
============================================================

Find files of AVC denials:

(.libvirt-ci-venv-ci-runtest-IFOo0G) (avc_detector)> find /sys/ -inum 1281
/sys/devices/system/cpu/possible
(.libvirt-ci-venv-ci-runtest-IFOo0G) (avc_detector)> find /sys/ -inum 62965
/sys/module/vhost/parameters/max_mem_regions

Expected results

No avc denial for the domain without hostdev usb because the explainaton for virt_use_usb is Allow virt to use usb. In other words, expect SELinux only prevents the access to usb devices in sysfs.

Actual results

As above

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

gls.xml
3 kB
2024/12/11 3:27 AM
win11.xml
7 kB
2024/12/11 3:22 AM

is cloned by

RHEL-71270 SELinux prevents to access /sys for other devices when virt_use_usb is off

Release Pending

links to

github pr

RHBA-2024:139849 selinux-policy bug fix and enhancement update

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates