Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4, rhel-9.5
Component/s: selinux-policy
Labels:
None

Fixed in Build:
selinux-policy-38.1.37-1.el9
Epic Link:
SELINUX-3400
Keywords:

ZStream

Pool Team:

sst_security_selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
11
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Release Blocker:
Approved Blocker

Acceptance Criteria:

Hide

The qemu-kvm processes do not trigger any SELinux denials in enforcing mode when the Steps to Reproduce are followed.

Show
The qemu-kvm processes do not trigger any SELinux denials in enforcing mode when the Steps to Reproduce are followed.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/130707
Test Coverage:

Yes

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description:
When I tried to start the guest, it will report the avc denied error

Version-Release number of selected component (if applicable):
selinux-policy-38.1.35-2.el9_4.noarch
libvirt-10.0.0-6.el9_4.x86_64
qemu-kvm-8.2.0-11.el9_4.x86_64

How reproducible:
100%

Steps to Reproduce:
1. define a guest

#  virt-install --connect qemu:///system -n avocado-vt-vm1 --hvm --accelerate -r 2048 --vcpus=2 --os-variant rhel9.4 --disk path=/var/lib/libvirt/images/RHEL-9.5-x86_64-latest-ovmf.qcow2,bus=virtio,format=qcow2 --network bridge=virbr0,model=virtio --import --noreboot --noautoconsole --serial pty --memballoon model=virtio --graphics vnc --video cirrus --boot uefi

Starting install...
Creating domain...                                                                                                                                                     |         00:00:00    
Domain creation completed.
You can restart your domain by running:
  virsh --connect qemu:///system start avocado-vt-vm1

2. Start the guest

# virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started

3. Check guest status

# virsh domstate avocado-vt-vm1 --reason
running (booted)

(Guest can be started successfully)

4. Check the audit log in host

# ausearch -m avc
----
time->Tue Apr  9 20:23:09 2024
type=PROCTITLE msg=audit(1712708589.510:788): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D61766F6361646F2D76742D766D312C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261
type=SYSCALL msg=audit(1712708589.510:788): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5627a280a074 a2=0 a3=0 items=0 ppid=1 pid=21445 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c572,c618 key=(null)
type=AVC msg=audit(1712708589.510:788): avc:  denied  { read } for  pid=21445 comm="qemu-kvm" name="max_map_count" dev="proc" ino=52988 scontext=system_u:system_r:svirt_t:s0:c572,c618 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0

Expected result:
Should not report avc denied error

blocks

RHEL-32337 [avc]SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count.

Closed

is depended on by

RHEL-32337 [avc]SELinux is preventing /usr/libexec/qemu-kvm from read access on the file max_map_count.

Closed

links to

RHBA-2024:130707 selinux-policy bug fix and enhancement update

TCMS Test Case 105818

Assignee:: Zdenek Pytela

Reporter:: Lili Zhu

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 1 Vote for this issue

Watchers:: 18 Start watching this issue

Created:: 2024/04/10 2:19 AM

Updated:: 2024/05/29 6:28 AM

Target end:: 2024/05/13

Details

Description

Attachments

Issue Links

Activity

People

Dates