-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.1
-
selinux-policy-40.13.35-1.el10
-
Yes
-
Critical
-
1
-
rhel-security-selinux
-
19
-
1
-
QE ack
-
False
-
False
-
-
No
-
SELINUX 250716: 9
-
-
Pass
-
Automated
-
Release Note Not Required
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
Create a nodedev mediated device that's persisted ('define' in libvirt jargon).
What is the impact of this issue to you?
After maintenance operations like reboot or DASD passthrough re-assignments I will have to start those devices again from files. After a reboot VMs won't be able to automatically start.
Please provide the package NVR for which the bug is seen:
selinux-policy-40.13.33-1.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
- Try to define a mediated device, e.g.
# cat nodedev.xml <device> <parent>css_0_0_002c</parent> <capability type="mdev"> <type id="vfio_ccw-io" /> <uuid>8d312cf6-f92a-485c-8db8-ba9299848f46</uuid> </capability> </device> # virsh nodedev-define nodedev.xml
Expected results
Node device 'mdev_8d312cf6_f92a_485c_8db8_ba9299848f46_0_0_002c' defined from 'nodedev.xml'
Actual results
error: Failed to define node device from 'nodedev.xml'
error: internal error: Unable to define mediated device: Error: Permission denied (os error 13)
Additional information
The scenario succeeds with the following additional rules:
(allow virtnodedevd_t mdevctl_conf_t (file (execute))) (allow virtnodedevd_t mdevctl_conf_t (file (execute_no_trans))) (allow virtnodedevd_t mdevctl_conf_t (dir (create)))
I'm unsure why I didn't catch this earlier, I assume my other automated tests simply use 'virsh-create' which doesn't require the storage of a new configuration.
- links to
-
RHBA-2025:147963
selinux-policy bug fix and enhancement update