-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0
-
selinux-policy-40.13.25-1.el10
-
No
-
Moderate
-
2
-
rhel-sst-security-selinux
-
ssg_security
-
26
-
2
-
QE ack
-
False
-
-
No
-
SELINUX 250129: 1, SELINUX 250219: 2
-
Release Note Not Required
-
None
What were you trying to do that didn't work?
AVC denied error when start vm with nvdimm memory device
Please provide the package NVR for which bug is seen:
#rpm -q selinux-policy libvirt
selinux-policy-40.13.18-1.el10.noarch
libvirt-10.10.0-2.el10.x86_64
How reproducible:
100%
Steps to reproduce
1. Prepare the nvdimm device by host emulation
# grubby --update-kernel=ALL --args="memmap=4G!20G"
Reboot the machine, check there is a emulated device as below:
# ll /dev/pmem0 brw-rw----. 1 root root 259, 0 Dec 17 02:14 /dev/pmem0
2. Start vm with nvdimm device like as below
# virsh dumpxml rhel --xpath //memory ... <memory model="nvdimm" access="shared"> <source> <path>/dev/pmem0</path> </source> <target> <size unit="KiB">524288</size> <node>1</node> <label> <size unit="KiB">256</size> </label> </target> <address type="dimm" slot="1"/> </memory>
3. check the audit log
# ausearch -m avc ---- time->Wed Dec 18 02:28:29 2024 type=PROCTITLE msg=audit(1734506909.670:1810): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1734506909.670:1810): item=1 name=(null) inode=6 dev=00:30 mode=060640 ouid=0 ogid=0 rdev=103:00 obj=system_u:object_r:tmpfs_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1734506909.670:1810): item=0 name=(null) inode=1 dev=00:30 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1734506909.670:1810): cwd="/" type=SYSCALL msg=audit(1734506909.670:1810): arch=c000003e syscall=259 success=yes exit=0 a0=ffffff9c a1=7f85c4054ba0 a2=61b0 a3=10300 items=2 ppid=18660 pid=19061 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734506909.670:1810): avc: denied { create } for pid=19061 comm="rpc-virtqemud" name="pmem0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1 ---- time->Wed Dec 18 02:28:29 2024 type=PROCTITLE msg=audit(1734506909.670:1811): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1734506909.670:1811): arch=c000003e syscall=94 success=yes exit=0 a0=7f85c4054ba0 a1=0 a2=0 a3=10300 items=0 ppid=18660 pid=19061 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734506909.670:1811): avc: denied { setattr } for pid=19061 comm="rpc-virtqemud" name="pmem0" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1 ---- time->Wed Dec 18 02:28:29 2024 type=PROCTITLE msg=audit(1734506909.733:1825): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1734506909.733:1825): arch=c000003e syscall=72 success=yes exit=0 a0=19 a1=6 a2=7f85d57fd130 a3=7f85c40008e0 items=0 ppid=18660 pid=19072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734506909.733:1825): avc: denied { lock } for pid=19072 comm="rpc-virtqemud" path="/dev/pmem0" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c6,c473 tclass=blk_file permissive=1 ---- time->Wed Dec 18 02:28:29 2024 type=PROCTITLE msg=audit(1734506909.736:1826): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1734506909.736:1826): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f85c406e5f0 a2=2 a3=0 items=0 ppid=18660 pid=19073 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734506909.736:1826): avc: denied { open } for pid=19073 comm="rpc-virtqemud" path="/dev/pmem0" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c6,c473 tclass=blk_file permissive=1 type=AVC msg=audit(1734506909.736:1826): avc: denied { read write } for pid=19073 comm="rpc-virtqemud" name="pmem0" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c6,c473 tclass=blk_file permissive=1 ---- time->Wed Dec 18 02:28:29 2024 type=PROCTITLE msg=audit(1734506909.736:1827): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1734506909.736:1827): arch=c000003e syscall=188 success=yes exit=0 a0=7f85c406e5f0 a1=7f85c404f730 a2=7f85c404dd40 a3=5 items=0 ppid=18660 pid=19073 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734506909.736:1827): avc: denied { setattr } for pid=19073 comm="rpc-virtqemud" name="pmem0" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c6,c473 tclass=blk_file permissive=1
Expected results
There should not be avc denied error like as above
Actual results
There are avc denied error when start vm with nvdimm device
- links to
-
RHBA-2024:140162
selinux-policy bug fix and enhancement update