Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34616

[RHEL-9.5 ] avc: denied { read } for pid=32896 comm="qemu-kvm" name="max_map_count" dev="proc" ino=110649

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.5
    • selinux-policy
    • None
    • sst_security_selinux
    • ssg_security
    • False
    • Hide

      None

      Show
      None

      What were you trying to do that didn't work?

      Encounted the following avc issue when installing an KVM host with RHEL-9.5.0-20240427.14.

      SELinux status:                 enabled
      SELinuxfs mount:                /sys/fs/selinux
      SELinux root directory:         /etc/selinux
      Loaded policy name:             targeted
      Current mode:                   enforcing
      Mode from config file:          enforcing
      Policy MLS status:              enabled
      Policy deny_unknown status:     allowed
      Memory protection checking:     actual (secure)
      Max kernel policy version:      33
      selinux-policy-38.1.36-1.el9.noarch
      ----
      time->Sat Apr 27 16:51:21 2024
      type=PROCTITLE msg=audit(1714251081.973:1604): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F6E7461702D6E6F6465312C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A22726177222C
      type=SYSCALL msg=audit(1714251081.973:1604): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=563b3c117074 a2=0 a3=0 items=0 ppid=1 pid=32896 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c42,c482 key=(null)
      type=AVC msg=audit(1714251081.973:1604): avc:  denied  { read } for  pid=32896 comm="qemu-kvm" name="max_map_count" dev="proc" ino=110649 scontext=system_u:system_r:svirt_t:s0:c42,c482 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0
      ----
      time->Sat Apr 27 17:04:43 2024
      type=PROCTITLE msg=audit(1714251883.898:1784): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D6F6E7461702D6E6F6465322C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A22726177222C
      type=SYSCALL msg=audit(1714251883.898:1784): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5589b0452074 a2=0 a3=0 items=0 ppid=1 pid=37327 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c189,c943 key=(null)
      type=AVC msg=audit(1714251883.898:1784): avc:  denied  { read } for  pid=37327 comm="qemu-kvm" name="max_map_count" dev="proc" ino=110649 scontext=system_u:system_r:svirt_t:s0:c189,c943 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=0

      Please provide the package NVR for which bug is seen:

      kernel: 5.14.0-443.el9

      selinux-policy: 38.1.36-1.el9.noarch

      How reproducible:

      many times

      Steps to reproduce

      1. Install an KVM host with RHEL-9.5.0-20240427.14
      2.  
      3.  

      Expected results

      No AVC issue

      Actual results

      AVC deny

      https://beaker.engineering.redhat.com/jobs/9217137

      https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2024/04/92171/9217137/16032729/177034157/826962864/avc.log

       

       

            rhn-support-zpytela Zdenek Pytela
            zhieli Zhi Li
            Zdenek Pytela Zdenek Pytela
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: