Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-80407

vhost_set_mem_table failed when selinux is enabled when use memfd memory

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • rhel-9.7
    • rhel-9.6, rhel-10.0
    • passt
    • None
    • None
    • rhel-virt-networking-passt-pasta
    • ssg_virtualization
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • Approved Blocker
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      vhostuser passt interface will be down when use memfd memory with selinux enabled

      What is the impact of this issue to you?

      The interface is down

      Please provide the package NVR for which the bug is seen:

      passt-0^20250217.ga1e48a0-1.el10.x86_64
      qemu-kvm-9.1.0-15.el10.x86_64
      libvirt-10.10.0-7.el10.x86_64
      selinux-policy-40.13.26-1.el10.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1.  Start vm with below settings:
        # getenforce 
        Enforcing
        # virsh dumpxml rhel
        ...
          <memory unit='KiB'>2097152</memory>
          <currentMemory unit='KiB'>2097152</currentMemory>
          <memoryBacking>
            <source type='memfd'/>
            <access mode='shared'/>
          </memoryBacking>
        ...
        <interface type='vhostuser'>
              <mac address='52:54:00:5a:35:4b'/>
              <model type='virtio'/>
              <backend type='passt'/>
              <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
            </interface>
        ...
        # virsh start rhel 
        Domain 'rhel' started
        

        Login vm and check:

        [root@localhost ~]# ip addr show enp1s0 
        2: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
            link/ether 52:54:00:5a:35:4b brd ff:ff:ff:ff:ff:ff
            altname enx5254005a354b
        

        Check on host for the qemu log:

        2025-02-24T01:45:15.156640Z qemu-kvm: Failed to read msg header. Read 0 instead of 12. Original request 0.
        2025-02-24T01:45:15.156713Z qemu-kvm: vhost_set_mem_table failed: Input/output error (5)
        2025-02-24T01:45:15.156991Z qemu-kvm: unable to start vhost net: 5: falling back on userspace virtio
        
      2.  check the selinux log
        # ausearch -m avc
        ----
        time->Sun Feb 23 00:59:16 2025
        type=PROCTITLE msg=audit(1740290356.084:39): proctitle=2F7573722F62696E2F6C736D64002D64
        type=SYSCALL msg=audit(1740290356.084:39): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=560778b28850 a2=7fff83324ae0 a3=100 items=0 ppid=1 pid=1225 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
        type=AVC msg=audit(1740290356.084:39): avc:  denied  { getattr } for  pid=1225 comm="lsmd" path="/usr/bin/passt-repair" dev="dm-0" ino=67122401 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:passt_repair_exec_t:s0 tclass=file permissive=0
        ----
        time->Sun Feb 23 20:29:57 2025
        type=PROCTITLE msg=audit(1740360597.861:4058): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F312D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F312D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360597.861:4058): arch=c000003e syscall=47 success=yes exit=12 a0=49 a1=7ffcf0cfdad0 a2=40 a3=7ffcf0cfdb14 items=0 ppid=1 pid=75323 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c423,c1011 key=(null)
        type=AVC msg=audit(1740360597.861:4058): avc:  denied  { read write } for  pid=75323 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=13342 scontext=system_u:system_r:passt_t:s0:c423,c1011 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=0
        ----
        time->Sun Feb 23 20:29:57 2025
        type=PROCTITLE msg=audit(1740360597.861:4059): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F312D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F312D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360597.861:4059): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=3 a3=4001 items=0 ppid=1 pid=75323 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c423,c1011 key=(null)
        type=AVC msg=audit(1740360597.861:4059): avc:  denied  { map } for  pid=75323 comm="passt.avx2" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:passt_t:s0:c423,c1011 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=0
        ----
        time->Sun Feb 23 20:32:55 2025
        type=PROCTITLE msg=audit(1740360775.722:4114): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F322D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F322D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360775.722:4114): arch=c000003e syscall=47 success=yes exit=12 a0=49 a1=7ffd01ab80d0 a2=40 a3=7ffd01ab8114 items=0 ppid=1 pid=75540 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c360,c903 key=(null)
        type=AVC msg=audit(1740360775.722:4114): avc:  denied  { read write } for  pid=75540 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=15426 scontext=system_u:system_r:passt_t:s0:c360,c903 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=0
        ----
        time->Sun Feb 23 20:32:55 2025
        type=PROCTITLE msg=audit(1740360775.722:4115): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F322D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F322D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360775.722:4115): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=3 a3=4001 items=0 ppid=1 pid=75540 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c360,c903 key=(null)
        type=AVC msg=audit(1740360775.722:4115): avc:  denied  { map } for  pid=75540 comm="passt.avx2" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:passt_t:s0:c360,c903 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=0
        ----
        time->Sun Feb 23 20:34:41 2025
        type=PROCTITLE msg=audit(1740360881.644:4142): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F332D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F332D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360881.644:4142): arch=c000003e syscall=47 success=yes exit=12 a0=49 a1=7fff0b348450 a2=40 a3=7fff0b348494 items=0 ppid=1 pid=75644 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c240,c456 key=(null)
        type=AVC msg=audit(1740360881.644:4142): avc:  denied  { read write } for  pid=75644 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=15428 scontext=system_u:system_r:passt_t:s0:c240,c456 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=0
        ----
        time->Sun Feb 23 20:34:41 2025
        type=PROCTITLE msg=audit(1740360881.645:4143): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F332D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F332D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360881.645:4143): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=3 a3=4001 items=0 ppid=1 pid=75644 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c240,c456 key=(null)
        type=AVC msg=audit(1740360881.645:4143): avc:  denied  { map } for  pid=75644 comm="passt.avx2" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:passt_t:s0:c240,c456 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=0
        ----
        time->Sun Feb 23 20:35:50 2025
        type=PROCTITLE msg=audit(1740360950.784:4170): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F342D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F342D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360950.784:4170): arch=c000003e syscall=47 success=yes exit=12 a0=49 a1=7fff17542070 a2=40 a3=7fff175420b4 items=0 ppid=1 pid=75750 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c808,c988 key=(null)
        type=AVC msg=audit(1740360950.784:4170): avc:  denied  { read write } for  pid=75750 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=21521 scontext=system_u:system_r:passt_t:s0:c808,c988 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=0
        ----
        time->Sun Feb 23 20:35:50 2025
        type=PROCTITLE msg=audit(1740360950.784:4171): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F342D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F342D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740360950.784:4171): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=3 a3=4001 items=0 ppid=1 pid=75750 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c808,c988 key=(null)
        type=AVC msg=audit(1740360950.784:4171): avc:  denied  { map } for  pid=75750 comm="passt.avx2" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:passt_t:s0:c808,c988 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=0
        ----
        time->Sun Feb 23 20:38:07 2025
        type=PROCTITLE msg=audit(1740361087.131:4200): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F352D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F352D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740361087.131:4200): arch=c000003e syscall=47 success=yes exit=12 a0=49 a1=7ffe65bb85d0 a2=40 a3=7ffe65bb8614 items=0 ppid=1 pid=75875 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c575,c998 key=(null)
        type=AVC msg=audit(1740361087.131:4200): avc:  denied  { read write } for  pid=75875 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=14412 scontext=system_u:system_r:passt_t:s0:c575,c998 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=1
        ----
        time->Sun Feb 23 20:38:07 2025
        type=PROCTITLE msg=audit(1740361087.131:4201): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F352D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F352D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740361087.131:4201): arch=c000003e syscall=9 success=yes exit=139755354816512 a0=0 a1=30000 a2=3 a3=4001 items=0 ppid=1 pid=75875 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c575,c998 key=(null)
        type=AVC msg=audit(1740361087.131:4201): avc:  denied  { map } for  pid=75875 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=14412 scontext=system_u:system_r:passt_t:s0:c575,c998 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=1
        ----
        time->Sun Feb 23 20:45:15 2025
        type=PROCTITLE msg=audit(1740361515.154:4230): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F362D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F362D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740361515.154:4230): arch=c000003e syscall=47 success=yes exit=12 a0=49 a1=7fff335a37d0 a2=40 a3=7fff335a3814 items=0 ppid=1 pid=76024 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c748,c886 key=(null)
        type=AVC msg=audit(1740361515.154:4230): avc:  denied  { read write } for  pid=76024 comm="passt.avx2" path=2F6D656D66643A6D656D6F72792D6261636B656E642D6D656D6664202864656C6574656429 dev="tmpfs" ino=23570 scontext=system_u:system_r:passt_t:s0:c748,c886 tcontext=system_u:object_r:svirt_tmpfs_t:s0 tclass=file permissive=0
        ----
        time->Sun Feb 23 20:45:15 2025
        type=PROCTITLE msg=audit(1740361515.154:4231): proctitle=7061737374002D2D76686F73742D75736572002D2D6F6E652D6F6666002D2D736F636B6574002F72756E2F6C6962766972742F71656D752F70617373742F362D7268656C2D6E6574302E736F636B6574002D2D706964002F72756E2F6C6962766972742F71656D752F70617373742F362D7268656C2D6E6574302D7061737374
        type=SYSCALL msg=audit(1740361515.154:4231): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=30000 a2=3 a3=4001 items=0 ppid=1 pid=76024 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="passt.avx2" exe="/usr/bin/passt.avx2" subj=system_u:system_r:passt_t:s0:c748,c886 key=(null)
        type=AVC msg=audit(1740361515.154:4231): avc:  denied  { map } for  pid=76024 comm="passt.avx2" path="/dev/null" dev="devtmpfs" ino=4 scontext=system_u:system_r:passt_t:s0:c748,c886 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=0
        

         

      Expected results

      The interface should be up

      Actual results

      The interface is down

              sbrivio@redhat.com Stefano Brivio
              yalzhang@redhat.com Yalan Zhang
              Stefano Brivio Stefano Brivio
              Yalan Zhang Yalan Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: