Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.1
Component/s: selinux-policy
Labels:
- selinux_triaged
- virt-selinux

Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-4342

AssignedTeam:
rhel-security-selinux

Story Points:
1
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

As subject

What is the impact of this issue to you?

SELinux denials

Please provide the package NVR for which the bug is seen:

selinux-policy-40.13.33-1.el10.noarch

libvirt v11.4.0-70-g07a8be20c1

How reproducible is this bug?:

always

Steps to reproduce

Restart the host
Detach a PCI node device

# virsh nodedev-dettach pci_0000_18_00_1
Device pci_0000_18_00_1 detached

Check the AVC denials:

type=AVC msg=audit(1750821038.379:192): avc:  denied  { execute } for  pid=7896 comm="rpc-virtqemud" name="kmod" dev="dm-0" ino=134351583 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1750821038.380:193): avc:  denied  { execute_no_trans } for  pid=7964 comm="rpc-virtqemud" path="/usr/bin/kmod" dev="dm-0" ino=134351583 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1750821038.380:193): avc:  denied  { map } for  pid=7964 comm="modprobe" path="/usr/bin/kmod" dev="dm-0" ino=134351583 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1750821038.382:194): avc:  denied  { map } for  pid=7964 comm="modprobe" path="/usr/lib/modules/6.12.0-95.el10.x86_64/modules.dep.bin" dev="dm-0" ino=2416024214 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=1
type=AVC msg=audit(1750821038.415:195): avc:  denied  { module_load } for  pid=7964 comm="modprobe" path="/usr/lib/modules/6.12.0-95.el10.x86_64/kernel/drivers/iommu/iommufd/iommufd.ko.xz" dev="dm-0" ino=469778021 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1
type=AVC msg=audit(1750821038.506:196): avc:  denied  { write } for  pid=7896 comm="rpc-virtqemud" name="driver_override" dev="sysfs" ino=21537 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

Expected results

No denials

Actual results

As above

Assignee:: Zdenek Pytela

Reporter:: Han Han

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/06/25 3:16 AM

Updated:: 2025/10/16 11:55 AM

Stale Date:: 2026/06/29

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide