# // reset audit log # systemctl kill -s SIGUSR1 auditd # rm -vf /var/log/audit/audit.log.* # uname -a Linux intel-birchstream-gnr-sp-03.khw.eng.bos2.dc.redhat.com 5.14.0-524.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 30 10:28:04 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux # grep RHEL /etc/yum.repos.d/beaker-BaseOS.repo baseurl=http://download.eng.rdu.redhat.com/rhel-9/composes/RHEL-9/RHEL-9.6.0-updates-20241104.d.0/compose/BaseOS/x86_64/os # rpm -qa qat\* qatlib-service-24.09.0-1.el9.x86_64 qatlib-24.09.0-1.el9.x86_64 # rpm -qa selinux-policy\* selinux-policy-38.1.47-1.el9.noarch selinux-policy-targeted-38.1.47-1.el9.noarch # getenforce Enforcing # ls /sys/kernel/debug/qat_4xxx_0000\:01\:00.0/ cnv_errors dev_cfg fw_counters heartbeat pm_status telemetry transport # lsmod | grep -e vfio -e qat qat_4xxx 20480 0 intel_qat 475136 1 qat_4xxx crc8 12288 1 intel_qat # semodule -DB # systemctl start qat.service # lsmod | grep -e vfio -e qat vfio_pci 12288 0 vfio_pci_core 98304 1 vfio_pci vfio_iommu_type1 53248 0 vfio 77824 3 vfio_pci_core,vfio_iommu_type1,vfio_pci iommufd 118784 1 vfio qat_4xxx 20480 0 intel_qat 475136 1 qat_4xxx crc8 12288 1 intel_qat # ls /sys/kernel/debug/qat_4xxx_0000\:01\:00.0/ dev_cfg # ausearch -i | less ---- type=PROCTITLE msg=audit(11/05/2024 14:56:38.677:93) : proctitle=/bin/sh -c test $(getent group qat) type=EXECVE msg=audit(11/05/2024 14:56:38.677:93) : argc=3 a0=/bin/sh a1=-c a2=test $(getent group qat) type=SYSCALL msg=audit(11/05/2024 14:56:38.677:93) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55684d988620 a1=0x55684d987070 a2=0x55684d961be0 a3=0x1 items=0 ppid=1 pid=4186 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(11/05/2024 14:56:38.677:93) : avc: denied { siginh } for pid=4186 comm=sh scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=0 ---- type=PROCTITLE msg=audit(11/05/2024 14:56:38.776:94) : proctitle=/usr/bin/sh /usr/sbin/qat_init.sh type=SYSCALL msg=audit(11/05/2024 14:56:38.776:94) : arch=x86_64 syscall=write success=yes exit=3 a0=0x1 a1=0x5625669dd590 a2=0x3 a3=0x8 items=0 ppid=1 pid=4188 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qat_init.sh exe=/usr/bin/bash subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 14:56:38.776:94) : avc: denied { search } for pid=4188 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=202 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 14:56:38.776:94) : avc: denied { search } for pid=4188 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=202 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 14:56:38.776:94) : avc: denied { search } for pid=4188 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=202 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 14:56:38.776:94) : avc: denied { search } for pid=4188 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=202 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 14:56:38.776:94) : avc: denied { search } for pid=4188 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=202 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 14:56:38.776:94) : avc: denied { search } for pid=4188 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=202 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 ---- type=SERVICE_START msg=audit(11/05/2024 14:56:39.096:95) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm=systemd exe=/usr/lib/systemd/systemd hostname=? addr=? terminal=? res=success' ---- type=PROCTITLE msg=audit(11/05/2024 14:56:39.163:97) : proctitle=modprobe vfio-pci type=SYSCALL msg=audit(11/05/2024 14:56:39.163:97) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x7f5c40700010 a1=0x42fc8 a2=0x55905d8d9962 a3=0x5 items=0 ppid=4226 pid=4228 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 14:56:39.163:97) : avc: denied { search } for pid=4228 comm=modprobe name=index dev="debugfs" ino=1035 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(11/05/2024 14:56:39.574:103) : proctitle=/usr/bin/sh /usr/sbin/qat_init.sh type=SYSCALL msg=audit(11/05/2024 14:56:39.574:103) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5625669e23d0 a2=0x7ffc762b9690 a3=0x0 items=0 ppid=4188 pid=4238 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qat_init.sh exe=/usr/bin/bash subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 14:56:39.574:103) : avc: denied { getattr } for pid=4238 comm=qat_init.sh path=/dev/vfio/153 dev="devtmpfs" ino=1960 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 ---- type=PROCTITLE msg=audit(11/05/2024 14:56:39.574:104) : proctitle=/usr/bin/sh /usr/sbin/qat_init.sh type=SYSCALL msg=audit(11/05/2024 14:56:39.574:104) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5625669e2430 a2=0x7ffc762b9690 a3=0x0 items=0 ppid=4188 pid=4318 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qat_init.sh exe=/usr/bin/bash subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 14:56:39.574:104) : avc: denied { getattr } for pid=4318 comm=qat_init.sh path=/dev/vfio/151 dev="devtmpfs" ino=1970 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 # audit2allow -a #============= init_t ============== allow init_t initrc_t:process siginh; #============= qatlib_t ============== allow qatlib_t debugfs_t:dir search; allow qatlib_t device_t:chr_file getattr; # semodule -B # sesearch --dontaudit | grep -e debugfs_t dontaudit domain debugfs_t:dir { getattr open search }; # semodule -DB ===== PERMISSVIVE # systemctl stop qat.service ; echo stop service ; rmmod vfio_pci ; rmmod vfio_pci_core ; rmmod vfio_iommu_type1 ; rmmod vfio ; echo rmmod vfio ; rmmod qat_4xxx ; rmmod intel_qat ; echo rmmod qat ; lsmod | grep -e vfio -e qat ; ls /sys/kernel/debug/qat_4xxx_0000\:01\:00.0/ stop service rmmod vfio rmmod qat ls: cannot access '/sys/kernel/debug/qat_4xxx_0000:01:00.0/': No such file or directory # setenforce 0 # getenforce Permissive # systemctl kill -s SIGUSR1 auditd # rm -vf /var/log/audit/audit.log.* removed '/var/log/audit/audit.log.1' # modprobe qat_4xxx ; echo modprobe qat ; sleep 1 ; systemctl start qat.service ; echo start qat.service ; lsmod | grep -e vfio -e qat ; ls /sys/kernel/debug/qat_4xxx_0000\:01\:00.0/ modprobe qat start qat.service vfio_pci 12288 0 vfio_pci_core 98304 1 vfio_pci vfio_iommu_type1 53248 0 vfio 77824 3 vfio_pci_core,vfio_iommu_type1,vfio_pci qat_4xxx 20480 0 intel_qat 475136 1 qat_4xxx iommufd 118784 1 vfio crc8 12288 1 intel_qat cnv_errors dev_cfg fw_counters heartbeat pm_status telemetry transport # ausearch -i | less type=SYSCALL msg=audit(11/05/2024 15:18:17.718:175) : arch=x86_64 syscall=write success=yes exit=3 a0=0x1 a1=0x55ea86e61590 a2=0x3 a3=0x8 items=288 ppid=1 pid=6276 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qat_init.sh exe=/usr/bin/bash subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 15:18:17.718:175) : avc: denied { search } for pid=6276 comm=qat_init.sh name=qat_4xxx_0000:01:00.0 dev="debugfs" ino=173217 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1