Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.1
Affects Version/s: rhel-10.1
Component/s: selinux-policy
Labels:

Fixed in Build:
selinux-policy-40.13.35-1.el10
Severity:
Important
Epic Link:
SELINUX-3824
sprint_count:
1

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
22
Story Points:
2
Target Version:

rhel-10.1
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 250716: 9

Acceptance Criteria:

Hide

The qgs service starts and runs successfully under the new SELinux label: qgs_t.

Show
The qgs service starts and runs successfully under the new SELinux label: qgs_t.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/147963
Test Coverage:

RegressionOnly

Release Note Type:
Feature
Release Note Text:

Hide
.The SELinux policy adds rules and type for the `qgs` daemon

The `qgs` daemon was added to RHEL with the `linux-sgx` package, which supports TDX confidential virtualization. The `qgs` daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new `qgs_t` type, access rules, and permissions.

Show
.The SELinux policy adds rules and type for the `qgs` daemon The `qgs` daemon was added to RHEL with the `linux-sgx` package, which supports TDX confidential virtualization. The `qgs` daemon communicates with QEMU over a UNIX domain socket when the guest OS requests attestation of the virtual machine (VM). To make this possible, the SELinux policy adds a new `qgs_t` type, access rules, and permissions.
Release Note Status:
Done
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

x86_64

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

The 'linux-sgx' package is adding host software needed to support Intel TDX confidential virtualization. The most important piece in this package is the 'qgs' daemon which provides an attestation service. QEMU will speak to 'qgs' over a UNIX domain socket when the guest OS requests attestation of the VM.

Given that QEMU is a strictly confined daemon under SELinux Policy, we need to define a new 'qgs_t' SELinux domain, write suitable access rules, and permit the 'svirt_t' domain to communicate with it.

Without a QGS policy, the current default QEMU svirt_t policy will block access to QGS, so this will be a blocker for shipping TDX support in RHEL.

relates to

RHEL-87744 [RHEL-9.7] New SELinux domain required for TDX confidential virtualization "qgs" daemon

Release Pending

links to

RHBA-2025:147963 selinux-policy bug fix and enhancement update

Assignee:: Zdenek Pytela

Reporter:: Daniel Berrangé

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2025/04/17 1:47 PM

Updated:: 2025/10/08 5:15 PM

Target end:: 2025/07/28

Next Planned Release Date:: 2025/11/11

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide