Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-75510

AVC denied error when start vm with pstore device

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • None
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      AVC denied when start vm with pstore device

      What is the impact of this issue to you?

      There is avc denied error, but the function works well

      Please provide the package NVR for which the bug is seen:

      selinux-policy-40.13.22-1.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. on the host, prepare a vm with pstore device like as below:

       # virsh dumpxml vm1 --xpath //pstore 
<pstore backend="acpi-erst">
  <path>/tmp/guest_acpi_esrt</path>
  <size unit="KiB">64</size>
  <address type="pci" domain="0x0000" bus="0x11" slot="0x01" function="0x0"/>
</pstore>

      2. start the vm, and check the audit logs:

       # ausearch -m avc
----
time->Tue Jan 21 01:08:16 2025
type=PROCTITLE msg=audit(1737439696.365:7251): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1737439696.365:7251): arch=c000003e syscall=188 success=yes exit=0 a0=7f2380044060 a1=7f2395f111ac a2=7f2380038d80 a3=2d items=0 ppid=80442 pid=80497 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1737439696.365:7251): avc:  denied  { relabelfrom } for  pid=80497 comm="rpc-virtqemud" name="guest_acpi_esrt" dev="dm-0" ino=134460730 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virtqemud_tmp_t:s0 tclass=file permissive=1

      3. detroy the vm, it triggers another avc denied error:

      ----
time->Tue Jan 21 01:10:21 2025
type=PROCTITLE msg=audit(1737439821.461:7312): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1737439821.461:7312): arch=c000003e syscall=188 success=yes exit=0 a0=564cb99d2ca0 a1=7f2395f111ac a2=7f2344003920 a3=25 items=0 ppid=80442 pid=80759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="prio-rpc-virtqe" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1737439821.461:7312): avc:  denied  { relabelto } for  pid=80759 comm="prio-rpc-virtqe" name="guest_acpi_esrt" dev="dm-0" ino=134460730 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virtqemud_tmp_t:s0 tclass=file permissive=1

      Expected results

      There should not be avc denied error

      Actual results

      There are avc denied error when start or destroy vm with pstore device

              rhn-support-zpytela Zdenek Pytela
              yalzhang@redhat.com Yalan Zhang
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: