-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
selinux-policy-42.1.3-1.el10
-
No
-
Low
-
1
-
rhel-security-selinux
-
ssg_security
-
23
-
1
-
QE ack
-
False
-
False
-
-
No
-
SELINUX 250806: 10
-
-
Pass
-
Automated
-
Release Note Not Required
-
None
What were you trying to do that didn't work?
As subject
What is the impact of this issue to you?
Seems only AVC denial msgs
Please provide the package NVR for which the bug is seen:
libvirt-10.10.0-4.el10.x86_64
qemu-kvm-9.1.0-11.el10.x86_64
selinux-policy-40.13.22-1.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
- Prepare a host with cd/dvd:
➜ ~ lsscsi|grep cd [14:0:0:0] cd/dvd HL-DT-ST DVD+-RW GU90N A3C3 /dev/sr0
- > virsh create ./test.xml Domain 'test' created from ./test.xml
- Start a domain with hostdev scsi for the cd/dvd, with <readonly/>
Domain XML:
... <hostdev mode='subsystem' type='scsi' managed='no'> <source> <adapter name='scsi_host14'/> <address bus='0' target='0' unit='0'/> </source> <address type='drive' controller='0' bus='0' target='0' unit='0'/> <readonly/> </hostdev> ...
Create the domain
> virsh create ./test.xml
Domain 'test' created from ./test.xml
Check the AVC denials:
type=AVC msg=audit(1737691046.006:8997): avc: denied { read write } for pid=338049 comm="rpc-virtqemud" name="sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.006:8997): avc: denied { open } for pid=338049 comm="rpc-virtqemud" path="/dev/sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.006:8998): avc: denied { lock } for pid=338049 comm="rpc-virtqemud" path="/dev/sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.006:8999): avc: denied { setattr } for pid=338049 comm="rpc-virtqemud" name="sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.006:9000): avc: denied { lock } for pid=338049 comm="rpc-virtqemud" path="/dev/sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.008:9001): avc: denied { read write } for pid=338050 comm="rpc-virtqemud" name="sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.008:9001): avc: denied { open } for pid=338050 comm="rpc-virtqemud" path="/dev/sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691046.008:9002): avc: denied { setattr } for pid=338050 comm="rpc-virtqemud" name="sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_content_t:s0 tclass=chr_file permissive=1
Destroy the domain:
> virsh destroy test
Domain 'test' destroyed
AVC denials:
type=AVC msg=audit(1737691125.787:9014): avc: denied { read write } for pid=338286 comm="prio-rpc-virtqe" name="sg1" dev="devtmpfs" ino=679 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691125.787:9014): avc: denied { open } for pid=338286 comm="prio-rpc-virtqe" path="/dev/sg1" dev="devtmpfs" ino=679 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691125.788:9015): avc: denied { lock } for pid=338286 comm="prio-rpc-virtqe" path="/dev/sg1" dev="devtmpfs" ino=679 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
- Redo these without <readonly/> in XML:
Denials for start
type=AVC msg=audit(1737691226.029:9048): avc: denied { read write } for pid=338481 comm="rpc-virtqemud" name="sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691226.029:9048): avc: denied { open } for pid=338481 comm="rpc-virtqemud" path="/dev/sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691226.029:9049): avc: denied { lock } for pid=338481 comm="rpc-virtqemud" path="/dev/sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691226.029:9050): avc: denied { setattr } for pid=338481 comm="rpc-virtqemud" name="sg1" dev="tmpfs" ino=6 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
Denials for destroy:
type=AVC msg=audit(1737691273.766:9064): avc: denied { read write } for pid=338670 comm="prio-rpc-virtqe" name="sg1" dev="devtmpfs" ino=679 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691273.766:9064): avc: denied { open } for pid=338670 comm="prio-rpc-virtqe" path="/dev/sg1" dev="devtmpfs" ino=679 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1737691273.766:9065): avc: denied { lock } for pid=338670 comm="prio-rpc-virtqe" path="/dev/sg1" dev="devtmpfs" ino=679 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
Expected results
NO denials
Actual results
As above.
XML and logs: log-denials.tar.gz
- links to
-
RHBA-2025:147963
selinux-policy bug fix and enhancement update