Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-92847

SELinux prevents creating a user session domain with passt

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • rhel-9.6.z, rhel-9.7
    • passt
    • None
    • No
    • None
    • rhel-virt-networking-passt-pasta
    • ssg_virtualization
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      As subject

      What is the impact of this issue to you?

      Cannot create a domain with passt in a user session

      Please provide the package NVR for which the bug is seen:

      libvirt-10.10.0-10.el9.x86_64
      passt-0^20250320.g32f6212-1.el9.x86_64
      selinux-policy-38.1.56-1.el9.noarch
      qemu-kvm-9.1.0-19.el9.x86_64
      virt-install-5.0.0-1.el9.noarch

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Create a domain with passt as a common user
      # su - hhan -c "virt-install --import --disk none -n passt -r 2048 --memorybacking source.type=file,access.mode=shared --network user,backend.type=passt,model.type=virtio --osinfo generic -q"
ERROR    internal error: Child process (passt --one-off --socket /home/hhan/.cache/libvirt/qemu/run/passt/3-passt-net0.socket --pid /home/hhan/.cache/libvirt/qemu/run/passt/3-passt-net0-passt.pid) unexpected exit status 1: Failed to bind UNIX domain socket: Permission denied

      SELinux denials:

      type=AVC msg=audit(1747823644.823:9362): avc:  denied  { search } for  pid=410989 comm="passt.avx2" name=".cache" dev="vda4" ino=16912224 scontext=unconfined_u:unconfined_r:passt_t:s0:c533,c693 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1747823644.823:9363): avc:  denied  { search } for  pid=410989 comm="passt.avx2" name=".cache" dev="vda4" ino=16912224 scontext=unconfined_u:unconfined_r:passt_t:s0:c533,c693 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1747823644.823:9364): avc:  denied  { search } for  pid=410989 comm="passt.avx2" name=".cache" dev="vda4" ino=16912224 scontext=unconfined_u:unconfined_r:passt_t:s0:c533,c693 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=0
      1. Change SELinux to permissive mode. It works:
      # setenforce 0
# su - hhan -c "virt-install --import --disk none -n passt -r 2048 --memorybacking source.type=file,access.mode=shared --network user,backend.type=passt,model.type=virtio --osinfo generic -q"

      Selinux denials:

      type=AVC msg=audit(1747823681.677:9382): avc:  denied  { search } for  pid=411038 comm="passt.avx2" name=".cache" dev="vda4" ino=16912224 scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1747823681.677:9382): avc:  denied  { search } for  pid=411038 comm="passt.avx2" name="libvirt" dev="vda4" ino=25165980 scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:virt_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1747823681.677:9382): avc:  denied  { search } for  pid=411038 comm="passt.avx2" name="qemu" dev="vda4" ino=41943201 scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1747823681.677:9383): avc:  denied  { write } for  pid=411038 comm="passt.avx2" name="passt" dev="vda4" ino=1138 scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1747823681.677:9383): avc:  denied  { add_name } for  pid=411038 comm="passt.avx2" name="4-passt-net0.socket" scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1747823681.677:9383): avc:  denied  { create } for  pid=411038 comm="passt.avx2" name="4-passt-net0.socket" scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1747823681.677:9384): avc:  denied  { create } for  pid=411038 comm="passt.avx2" name="4-passt-net0-passt.pid" scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1747823681.677:9384): avc:  denied  { write open } for  pid=411038 comm="passt.avx2" path="/home/hhan/.cache/libvirt/qemu/run/passt/4-passt-net0-passt.pid" dev="vda4" ino=6319 scontext=unconfined_u:unconfined_r:passt_t:s0:c719,c829 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=file permissive=1

      Not reproduced on RHEL10.1:

      libvirt-11.3.0-1.el10.x86_64
      passt-0^20250217.ga1e48a0-5.el10_0.x86_64
      qemu-kvm-10.0.0-1.el10.x86_64
      virt-install-5.0.0-1.el10.noarch
      selinux-policy-40.13.30-1.el10.noarch

      Expected results

      The cmd works and no selinux denials

      Actual results

      as above

              sbrivio@redhat.com Stefano Brivio
              rhn-support-hhan Han Han
              Stefano Brivio Stefano Brivio
              Lei Yang Lei Yang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: