# // reset audit log # systemctl kill -s SIGUSR1 auditd # rm -vf /var/log/audit/audit.log.* # uname -a Linux lenovo-sr650v3-02.khw.eng.bos2.dc.redhat.com 6.11.0-27.el10.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 30 05:59:37 EDT 2024 x86_64 GNU/Linux # grep RHEL /etc/yum.repos.d/beaker-BaseOS.repo baseurl=http://download.eng.rdu.redhat.com/rhel-10/composes/RHEL-10/RHEL-10.0-20241104.0/compose/BaseOS/x86_64/os # rpm -qa qat\* qatlib-service-24.09.0-2.el10.x86_64 qatlib-24.09.0-2.el10.x86_64 # rpm -qa selinux-policy\* selinux-policy-40.13.12-2.el10.noarch selinux-policy-targeted-40.13.12-2.el10.noarch # getenforce Enforcing # ls /sys/kernel/debug/qat_4xxx_0000\:6b\:00.0/ cnv_errors dev_cfg fw_counters heartbeat pm_status telemetry transport # lsmod | grep -e vfio -e qat qat_4xxx 20480 0 intel_qat 524288 1 qat_4xxx crc8 12288 1 intel_qat # semodule -DB # systemctl start qat.service # lsmod | grep -e vfio -e qat vfio_pci 16384 0 vfio_pci_core 94208 1 vfio_pci vfio_iommu_type1 53248 0 vfio 77824 4 vfio_pci_core,vfio_iommu_type1,vfio_pci iommufd 122880 1 vfio qat_4xxx 20480 0 intel_qat 524288 1 qat_4xxx crc8 12288 1 intel_qat # ls /sys/kernel/debug/qat_4xxx_0000\:6b\:00.0/ dev_cfg ausearch -i | less ---- type=PROCTITLE msg=audit(11/05/2024 15:57:56.500:120) : proctitle=/bin/sh -c test $(getent group qat) type=EXECVE msg=audit(11/05/2024 15:57:56.500:120) : argc=3 a0=/bin/sh a1=-c a2=test $(getent group qat) type=SYSCALL msg=audit(11/05/2024 15:57:56.500:120) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55c9dd0d3b70 a1=0x55c9dd0d3cc0 a2=0x55c9dc8b0620 a3=0x0 items=0 ppid=1 pid=4821 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(11/05/2024 15:57:56.500:120) : avc: denied { siginh } for pid=4821 comm=sh scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=0 ---- type=PROCTITLE msg=audit(11/05/2024 15:57:56.671:121) : proctitle=/usr/bin/sh /usr/sbin/qat_init.sh type=SYSCALL msg=audit(11/05/2024 15:57:56.671:121) : arch=x86_64 syscall=write success=yes exit=3 a0=0x1 a1=0x563f3eaeee70 a2=0x3 a3=0x563f3eaeee60 items=0 ppid=1 pid=4824 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qat_init.sh exe=/usr/bin/bash subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 15:57:56.671:121) : avc: denied { search } for pid=4824 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="debugfs" ino=107 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 15:57:56.671:121) : avc: denied { search } for pid=4824 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="debugfs" ino=107 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 15:57:56.671:121) : avc: denied { search } for pid=4824 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="debugfs" ino=107 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 15:57:56.671:121) : avc: denied { search } for pid=4824 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="debugfs" ino=107 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 15:57:56.671:121) : avc: denied { search } for pid=4824 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="debugfs" ino=107 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(11/05/2024 15:57:56.671:121) : avc: denied { search } for pid=4824 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="debugfs" ino=107 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(11/05/2024 15:57:57.240:122) : proctitle=modprobe vfio-pci type=SYSCALL msg=audit(11/05/2024 15:57:57.240:122) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x7f82c42da010 a1=0x43510 a2=0x55d74ced6e79 a3=0x1 items=0 ppid=4878 pid=4880 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 15:57:57.240:122) : avc: denied { search } for pid=4880 comm=modprobe name=index dev="debugfs" ino=1035 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0 ---- # audit2allow -a #============= init_t ============== allow init_t initrc_t:process siginh; #============= qatlib_t ============== allow qatlib_t debugfs_t:dir search; # semodule -B # sesearch --dontaudit | grep -e debugfs_t dontaudit domain debugfs_t:dir { getattr open search }; # semodule -DB ===== PERMISSVIVE # systemctl stop qat.service ; echo stop service ; rmmod vfio_pci ; rmmod vfio_pci_core ; rmmod vfio_iommu_type1 ; rmmod vfio ; echo rmmod vfio ; rmmod qat_4xxx ; rmmod intel_qat ; echo rmmod qat ; lsmod | grep -e vfio -e qat ; ls /sys/kernel/debug/qat_4xxx_0000\:6b\:00.0/ stop service rmmod vfio rmmod qat ls: cannot access '/sys/kernel/debug/qat_4xxx_0000:6b:00.0/': No such file or directory # setenforce 0 # getenforce Permissive # systemctl kill -s SIGUSR1 auditd # rm -vf /var/log/audit/audit.log.* removed '/var/log/audit/audit.log.1' # modprobe qat_4xxx ; echo modprobe qat ; sleep 1 ; systemctl start qat.service ; echo start qat.service ; lsmod | grep -e vfio -e qat ; ls /sys/kernel/debug/qat_4xxx_0000\:6b\:00.0/ modprobe qat start qat.service vfio_pci 16384 0 vfio_pci_core 94208 1 vfio_pci vfio_iommu_type1 53248 0 vfio 77824 4 vfio_pci_core,vfio_iommu_type1,vfio_pci qat_4xxx 20480 0 intel_qat 524288 1 qat_4xxx iommufd 122880 1 vfio crc8 12288 1 intel_qat cnv_errors dev_cfg fw_counters heartbeat pm_status telemetry transport # ausearch -i | less ---- type=PROCTITLE msg=audit(11/05/2024 16:07:29.072:174) : proctitle=/usr/bin/sh /usr/sbin/qat_init.sh type=PATH msg=audit(11/05/2024 16:07:29.072:174) : item=287 name=(null) inode=227486 dev=00:08 mode=file,644 ouid=root ogid=root rdev=00:00 o bj=system_u:object_r:debugfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 ... type=PATH msg=audit(11/05/2024 16:07:29.072:174) : item=0 name=(null) inode=212256 dev=00:08 mode=dir,755 ouid=root ogid=root rdev=00:00 obj= system_u:object_r:debugfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/05/2024 16:07:29.072:174) : cwd=/ type=SYSCALL msg=audit(11/05/2024 16:07:29.072:174) : arch=x86_64 syscall=write success=yes exit=3 a0=0x1 a1=0x5579bec5be70 a2=0x3 a3=0x5579b ec5be60 items=288 ppid=1 pid=6948 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qat_init.sh exe=/usr/bin/bash subj=system_u:system_r:qatlib_t:s0 key=(null) type=AVC msg=audit(11/05/2024 16:07:29.072:174) : avc: denied { search } for pid=6948 comm=qat_init.sh name=qat_4xxx_0000:6b:00.0 dev="deb ugfs" ino=212256 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 ---- # audit2allow -a #============= init_t ============== #!!!! This avc has a dontaudit rule in the current policy allow init_t initrc_t:process siginh; #============= qatlib_t ============== #!!!! This avc has a dontaudit rule in the current policy allow qatlib_t debugfs_t:dir search;