Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77620

SELinux critical denials when using virt-admin at first try

XMLWordPrintable

    • Yes
    • Critical
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Hide

      The reproducer does not trigger SELinux denials.

      Show
      The reproducer does not trigger SELinux denials.
    • None
    • Automated
    • All
    • None

      What were you trying to do that didn't work?

      Use virt-admin.

      What is the impact of this issue to you?

      Not sure, executing our scenario again on our hosts does seem to fix the issues but can't exclude this will reproduce on customer side.

      Please provide the package NVR for which the bug is seen:

      How reproducible is this bug?:

      100% in CI

      Steps to reproduce

      The way our tests are run in CI seem to be different from how they are run manually when we execute those steps.

      Usually we'd configure some values for workers in the virtqemud.conf for example, restart the daemons and then run some virt-admin command to read values.

      Expected results

      The command is executed successfully from the start.

      Actual results

      NOTE: Connecting to default daemon. Specify daemon using '-c' (e.g. virtqemud:///system)\nerror: Failed to connect to the admin server\nerror: no valid connection\nerror: Cannot recv data: Connection reset by peer\n\n

      Additional info

      I ran two failing tests in our CI not hiding any audit logs and found the following non-permissive denials listed. I see for example many denials for virtnetworkd_t blocking apparently access to network related resources, also one instance where virtqemud seems to access the selinux_config_t which I think happens because libvirt uses the libselinux library. all of these I believe should be allowed. I hit some of thse also hit in RHEL-77351

      I don't understand why these only happen the first time we run our automated test scenario in CI.

      16:05:12 2025-02-03 10:05:12,128 | INFO     | libvirt_ci.report [MainThread] - type=AVC msg=audit(1738595106.301:5277): avc:  denied  { read } for  pid=84772 comm="daemon-init" name="config" dev="dm-0" ino=201647903 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
16:05:12 type=AVC msg=audit(1738595106.301:5277): avc:  denied  { open } for  pid=84772 comm="daemon-init" path="/etc/selinux/config" dev="dm-0" ino=201647903 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
16:05:12 type=AVC msg=audit(1738595106.301:5278): avc:  denied  { getattr } for  pid=84772 comm="daemon-init" path="/etc/selinux/config" dev="dm-0" ino=201647903 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
16:05:12 type=AVC msg=audit(1738595106.311:5279): avc:  denied  { search } for  pid=84772 comm="rpc-virtqemud" name="84792" dev="proc" ino=95926 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir permissive=1
16:05:12 type=AVC msg=audit(1738595106.501:5283): avc:  denied  { noatsecure } for  pid=84858 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.501:5283): avc:  denied  { rlimitinh } for  pid=84858 comm="dnsmasq" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.501:5283): avc:  denied  { siginh } for  pid=84858 comm="dnsmasq" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.501:5284): avc:  denied  { noatsecure } for  pid=84859 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.501:5284): avc:  denied  { rlimitinh } for  pid=84859 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.501:5284): avc:  denied  { siginh } for  pid=84859 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.511:5285): avc:  denied  { noatsecure } for  pid=84860 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.511:5285): avc:  denied  { rlimitinh } for  pid=84860 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.511:5285): avc:  denied  { siginh } for  pid=84860 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.511:5286): avc:  denied  { noatsecure } for  pid=84861 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.511:5286): avc:  denied  { rlimitinh } for  pid=84861 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.511:5286): avc:  denied  { siginh } for  pid=84861 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.541:5288): avc:  denied  { noatsecure } for  pid=84862 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.541:5288): avc:  denied  { rlimitinh } for  pid=84862 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.541:5288): avc:  denied  { siginh } for  pid=84862 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.601:5290): avc:  denied  { noatsecure } for  pid=84875 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.601:5290): avc:  denied  { rlimitinh } for  pid=84875 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.601:5290): avc:  denied  { siginh } for  pid=84875 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595106.651:5293): avc:  denied  { noatsecure } for  pid=84900 comm="d... output is too long (32838), truncate to 10000 ...VC msg=audit(1738595110.231:5382): avc:  denied  { noatsecure } for  pid=85543 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.231:5382): avc:  denied  { rlimitinh } for  pid=85543 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.231:5382): avc:  denied  { siginh } for  pid=85543 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5384): avc:  denied  { noatsecure } for  pid=85544 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5384): avc:  denied  { rlimitinh } for  pid=85544 comm="tc" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5384): avc:  denied  { siginh } for  pid=85544 comm="tc" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5385): avc:  denied  { noatsecure } for  pid=85545 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5385): avc:  denied  { rlimitinh } for  pid=85545 comm="tc" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5385): avc:  denied  { siginh } for  pid=85545 comm="tc" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5386): avc:  denied  { noatsecure } for  pid=85546 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5386): avc:  denied  { rlimitinh } for  pid=85546 comm="tc" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.271:5386): avc:  denied  { siginh } for  pid=85546 comm="tc" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:ifconfig_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5387): avc:  denied  { noatsecure } for  pid=85547 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5387): avc:  denied  { rlimitinh } for  pid=85547 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5387): avc:  denied  { siginh } for  pid=85547 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5389): avc:  denied  { noatsecure } for  pid=85548 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5389): avc:  denied  { rlimitinh } for  pid=85548 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5389): avc:  denied  { siginh } for  pid=85548 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5391): avc:  denied  { noatsecure } for  pid=85549 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5391): avc:  denied  { rlimitinh } for  pid=85549 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5391): avc:  denied  { siginh } for  pid=85549 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5393): avc:  denied  { noatsecure } for  pid=85550 comm="daemon-init" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5393): avc:  denied  { rlimitinh } for  pid=85550 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u:system_r:iptables_t:s0 tclass=process permissive=0
16:05:12 type=AVC msg=audit(1738595110.281:5393): avc:  denied  { siginh } for  pid=85550 comm="nft" scontext=system_u:system_r:virtnetworkd_t:s0 tcontext=system_u
16:05:12 2025-02-03 10:05:12,402 | INFO     | libvirt_ci.state [MainThread] - no supported state: /etc/sysconfig/libvirtd:[Errno 2] No such file or directory: '/etc/sysconfig/libvirtd'

              rhn-support-zpytela Zdenek Pytela
              smitterl@redhat.com Sebastian Mitterle
              Daniel Berrangé
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: