Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI re

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI re

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest
Date:	Thu, 24 Jan 2019 10:26:37 +0000
User-agent:	Mutt/1.10.1 (2018-07-13)

On Thu, Jan 24, 2019 at 01:32:49AM +0000, Zhangbo (Oscar) wrote:
> When performing SCSI reservation inside the guest, 'sys_rawio' selinux alarm 
> is triggered, shown as below:
> "type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for 
> pid=30357 comm="worker" capability=17 
> scontext=system_u:system_r:svirt_t:s0:c72,c348 
> tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability"
> 
> It's quite possible that the *ioctl SG_IO * caused this problem.
> Is it a design flaw in qemu? Ioctl SG_IO seems too privileged for qemu?

CCing Paolo and John for SCSI.

> 
> Here comes the possible solutions:
>   possible solution 1: Add an selinux policy boolean to allow the 'sys_rawio' 
> action, which suggests that this scenario is not a problem/design flaw indeed.
>   possible solution 2: reconstruct the SCSI-related action scheme inside 
> qemu? such as letting libvirtd to accomplish such SG_IO job.
> Or, otherwise, any other solutions can you suggest? Thanks!
> 
> 
> reproduction:
> libvirt version: lastest
> qemu version: lastest
> selinux mode: Permissive
> service auditd status: active(running)
> 
> step 1. Configure scsi disk for vm in xml.
> <controller type='scsi' index='0' model='virtio-scsi'>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
> </controller>
> <disk type='block' device='lun' rawio='yes'>
> <driver name='qemu' type='raw' cache='none' io='native'/>
> <source dev='/dev/sdo'/>
> <target dev='sda' bus='scsi'/>
> <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> </disk>
> 
> step 2. Define and start vm.
> The type of guest OS is not the key. here is centos-7.4
> 
> step 3. Perform SCSI reservation command inside the guest.
> # sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
> # sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
> # sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
> # sg_persist -o -n -I -S 123abc -d /dev/sda
> # sg_persist -i -n -k -d /dev/sda
> # sg_persist -n -o -R -T 5 -K 123abc -d /dev/sda
> # sg_persist -n -i -r -d /dev/sda
> # sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
> 
> Then we can read 'sys_rawio' SElinux Denied in /var/log/audit/audit.log
> type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for 
> pid=30357 comm="worker" capability=17 
> scontext=system_u:system_r:svirt_t:s0:c72,c348 
> tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability
>

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest, Zhangbo (Oscar), 2019/01/23
- Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest, Stefan Hajnoczi <=
  - Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest, Paolo Bonzini, 2019/01/24

Prev by Date: [Qemu-devel] [PATCH] tests/vm: move images to subdirectory
Next by Date: Re: [Qemu-devel] [PATCH] hw/i386/pc.c: fix one typo in function name
Previous by thread: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest
Next by thread: Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest
Index(es):
- Date
- Thread