-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0
-
None
-
No
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
3
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
AVC denials happen when start a guest with disk that has data file and backing file
Please provide the package NVR for which bug is seen:
libvirt-10.10.0-8.el10_0.x86_64
qemu-kvm-9.1.0-15.el10.x86_64
How reproducible:
100%
Steps to reproduce
1. Prepare a disk with a data file and a backing file which also has a data file.
# qemu-img create -f qcow2 -o data_file=/var/lib/libvirt/images/datastore_1 /var/lib/libvirt/images/base-with-data-file.qcow 100M Formatting '/var/lib/libvirt/images/base-with-data-file.qcow', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=104857600 data_file=/var/lib/libvirt/images/datastore_1 lazy_refcounts=off refcount_bits=16 # qemu-img create -f qcow2 -o data_file=/var/lib/libvirt/images/datastore_2 /var/lib/libvirt/images/datastore.qcow2 100M Formatting '/var/lib/libvirt/images/datastore.qcow2', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=104857600 data_file=/var/lib/libvirt/images/datastore_2 lazy_refcounts=off refcount_bits=16 # qemu-img rebase -f qcow2 -F qcow2 -b /var/lib/libvirt/images/base-with-data-file.qcow /var/lib/libvirt/images/datastore.qcow2 # qemu-img info /var/lib/libvirt/images/datastore.qcow2 --backing-chain image: /var/lib/libvirt/images/datastore.qcow2 file format: qcow2 virtual size: 100 MiB (104857600 bytes) disk size: 196 KiB cluster_size: 65536 backing file: /var/lib/libvirt/images/base-with-data-file.qcow backing file format: qcow2 Format specific information: compat: 1.1 compression type: zlib lazy refcounts: false refcount bits: 16 data file: /var/lib/libvirt/images/datastore_2 data file raw: false corrupt: false extended l2: false Child node '/file': filename: /var/lib/libvirt/images/datastore.qcow2 protocol type: file file length: 192 KiB (197120 bytes) disk size: 196 KiB Format specific information: extent size hint: 1048576 image: /var/lib/libvirt/images/base-with-data-file.qcow file format: qcow2 virtual size: 100 MiB (104857600 bytes) disk size: 196 KiB cluster_size: 65536 Format specific information: compat: 1.1 compression type: zlib lazy refcounts: false refcount bits: 16 data file: /var/lib/libvirt/images/datastore_1 data file raw: false corrupt: false extended l2: false Child node '/file': filename: /var/lib/libvirt/images/base-with-data-file.qcow protocol type: file file length: 192 KiB (197120 bytes) disk size: 196 KiB Format specific information: extent size hint: 1048576
2. Prepare a guest with disk which only has /var/lib/libvirt/images/datastore.qcow2 image.
<disk type="file" device="disk">
<driver name="qemu" type="qcow2" cache="none" io="native" discard="unmap"/>
<source file="/var/lib/libvirt/images/datastore.qcow2"/>
<target dev="vdb" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x05" slot="0x00" function="0x0"/>
</disk>
3. Start guest.
# virsh start avocado-vt-vm1
error: Failed to start domain 'avocado-vt-vm1'
error: internal error: process exited while connecting to monitor: 2025-03-27T02:05:50.946408Z qemu-kvm: -blockdev {"node-name":"libvirt-1-format","read-only":false,"discard":"unmap","cache":
,"driver":"qcow2","file":"libvirt-1-storage","backing":"libvirt-3-format"}: Could not open '/var/lib/libvirt/images/datastore_2': Permission denied
Expected results
Start guest successfully and the expected disk xml is:
<disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='none' io='native' discard='unmap'/> <source file='/var/lib/libvirt/images/datastore.qcow2'> <dataStore type='file'> <format type='raw'/> <source file='/var/lib/libvirt/images/datastore_2'/> </dataStore> </source> <backingStore type='file'> <format type='qcow2'/> <source file='/var/lib/libvirt/images/base-with-data-file.qcow'> <dataStore type='file'> <format type='raw'/> <source file='/var/lib/libvirt/images/datastore_1'/> </dataStore> </source> </backingStore> <target dev='vdb' bus='virtio'/> <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/> </disk>
Actual results
Start guest failed.
Additional info
# ausearch -m avc
time->Wed Mar 26 22:04:21 2025
type=PROCTITLE msg=audit(1743041061.476:35147): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D61766F6361646F2D76742D766D312C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261
type=SYSCALL msg=audit(1743041061.476:35147): arch=c000003e syscall=257 success=yes exit=18 a0=ffffff9c a1=555e75d3b480 a2=84002 a3=0 items=0 ppid=1 pid=500871 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c261,c525 key=(null)
type=AVC msg=audit(1743041061.476:35147): avc: denied { write }
for pid=500871 comm="qemu-kvm" name="datastore_2" dev="dm-0" ino=51256442 scontext=system_u:system_r:svirt_t:s0:c261,c525 tcontext=unconfined_u:object_r:virt_image_t:s0 tclass=file permissive=1
- relates to
-
-
- In Progress
-
