[Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest
@ 2019-01-24  1:32 Zhangbo (Oscar)
  2019-01-24 10:26 ` Stefan Hajnoczi
  0 siblings, 1 reply; 3+ messages in thread
From: Zhangbo (Oscar) @ 2019-01-24  1:32 UTC (permalink / raw)
  To: qemu-devel@nongnu.org
  Cc: yinyipeng, Yanzheng (A), dengkai (A), Huangweidong (C)

When performing SCSI reservation inside the guest, 'sys_rawio' selinux alarm is triggered, shown as below:
"type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for pid=30357 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c72,c348 tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability"

It's quite possible that the *ioctl SG_IO * caused this problem.
Is it a design flaw in qemu? Ioctl SG_IO seems too privileged for qemu?

Here comes the possible solutions:
  possible solution 1: Add an selinux policy boolean to allow the 'sys_rawio' action, which suggests that this scenario is not a problem/design flaw indeed.
  possible solution 2: reconstruct the SCSI-related action scheme inside qemu? such as letting libvirtd to accomplish such SG_IO job.
Or, otherwise, any other solutions can you suggest? Thanks!

reproduction:
libvirt version: lastest
qemu version: lastest
selinux mode: Permissive
service auditd status: active(running)

step 1. Configure scsi disk for vm in xml.
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</controller>
<disk type='block' device='lun' rawio='yes'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/sdo'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>

step 2. Define and start vm.
The type of guest OS is not the key. here is centos-7.4

step 3. Perform SCSI reservation command inside the guest.
# sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
# sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
# sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
# sg_persist -o -n -I -S 123abc -d /dev/sda
# sg_persist -i -n -k -d /dev/sda
# sg_persist -n -o -R -T 5 -K 123abc -d /dev/sda
# sg_persist -n -i -r -d /dev/sda
# sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda

Then we can read 'sys_rawio' SElinux Denied in /var/log/audit/audit.log
type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for pid=30357 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c72,c348 tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest
  2019-01-24  1:32 [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest Zhangbo (Oscar)
@ 2019-01-24 10:26 ` Stefan Hajnoczi
  2019-01-24 10:48   ` Paolo Bonzini
  0 siblings, 1 reply; 3+ messages in thread
From: Stefan Hajnoczi @ 2019-01-24 10:26 UTC (permalink / raw)
  To: Zhangbo (Oscar)
  Cc: qemu-devel@nongnu.org, Yanzheng (A), Huangweidong (C), yinyipeng,
	dengkai (A), Paolo Bonzini, jsnow

[-- Attachment #1: Type: text/plain, Size: 2440 bytes --]

On Thu, Jan 24, 2019 at 01:32:49AM +0000, Zhangbo (Oscar) wrote:
> When performing SCSI reservation inside the guest, 'sys_rawio' selinux alarm is triggered, shown as below:
> "type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for pid=30357 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c72,c348 tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability"
> 
> It's quite possible that the *ioctl SG_IO * caused this problem.
> Is it a design flaw in qemu? Ioctl SG_IO seems too privileged for qemu?

CCing Paolo and John for SCSI.

> 
> Here comes the possible solutions:
>   possible solution 1: Add an selinux policy boolean to allow the 'sys_rawio' action, which suggests that this scenario is not a problem/design flaw indeed.
>   possible solution 2: reconstruct the SCSI-related action scheme inside qemu? such as letting libvirtd to accomplish such SG_IO job.
> Or, otherwise, any other solutions can you suggest? Thanks!
> 
> 
> reproduction:
> libvirt version: lastest
> qemu version: lastest
> selinux mode: Permissive
> service auditd status: active(running)
> 
> step 1. Configure scsi disk for vm in xml.
> <controller type='scsi' index='0' model='virtio-scsi'>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
> </controller>
> <disk type='block' device='lun' rawio='yes'>
> <driver name='qemu' type='raw' cache='none' io='native'/>
> <source dev='/dev/sdo'/>
> <target dev='sda' bus='scsi'/>
> <address type='drive' controller='0' bus='0' target='0' unit='0'/>
> </disk>
> 
> step 2. Define and start vm.
> The type of guest OS is not the key. here is centos-7.4
> 
> step 3. Perform SCSI reservation command inside the guest.
> # sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
> # sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
> # sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
> # sg_persist -o -n -I -S 123abc -d /dev/sda
> # sg_persist -i -n -k -d /dev/sda
> # sg_persist -n -o -R -T 5 -K 123abc -d /dev/sda
> # sg_persist -n -i -r -d /dev/sda
> # sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
> 
> Then we can read 'sys_rawio' SElinux Denied in /var/log/audit/audit.log
> type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for pid=30357 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c72,c348 tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest
  2019-01-24 10:26 ` Stefan Hajnoczi
@ 2019-01-24 10:48   ` Paolo Bonzini
  0 siblings, 0 replies; 3+ messages in thread
From: Paolo Bonzini @ 2019-01-24 10:48 UTC (permalink / raw)
  To: Stefan Hajnoczi, Zhangbo (Oscar)
  Cc: qemu-devel@nongnu.org, Yanzheng (A), Huangweidong (C), yinyipeng,
	dengkai (A), jsnow

[-- Attachment #1: Type: text/plain, Size: 2795 bytes --]

On 24/01/19 11:26, Stefan Hajnoczi wrote:
> On Thu, Jan 24, 2019 at 01:32:49AM +0000, Zhangbo (Oscar) wrote:
>> When performing SCSI reservation inside the guest, 'sys_rawio' selinux alarm is triggered, shown as below:
>> "type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for pid=30357 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c72,c348 tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability"
>>
>> It's quite possible that the *ioctl SG_IO * caused this problem.
>> Is it a design flaw in qemu? Ioctl SG_IO seems too privileged for qemu?
> 
> CCing Paolo and John for SCSI.
> 
>>
>> Here comes the possible solutions:
>>   possible solution 1: Add an selinux policy boolean to allow the 'sys_rawio' action, which suggests that this scenario is not a problem/design flaw indeed.
>>   possible solution 2: reconstruct the SCSI-related action scheme inside qemu? such as letting libvirtd to accomplish such SG_IO job.
>> Or, otherwise, any other solutions can you suggest? Thanks!

The latest QEMU already has qemu-pr-helper in order to support this.
libvirt will start the helper and tell QEMU to redirect reservations there.

You need to add "<reservations managed='yes'/>" inside the <source>
element of the disk.

Thanks,

Paolo

>>
>>
>> reproduction:
>> libvirt version: lastest
>> qemu version: lastest
>> selinux mode: Permissive
>> service auditd status: active(running)
>>
>> step 1. Configure scsi disk for vm in xml.
>> <controller type='scsi' index='0' model='virtio-scsi'>
>> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
>> </controller>
>> <disk type='block' device='lun' rawio='yes'>
>> <driver name='qemu' type='raw' cache='none' io='native'/>
>> <source dev='/dev/sdo'/>
>> <target dev='sda' bus='scsi'/>
>> <address type='drive' controller='0' bus='0' target='0' unit='0'/>
>> </disk>
>>
>> step 2. Define and start vm.
>> The type of guest OS is not the key. here is centos-7.4
>>
>> step 3. Perform SCSI reservation command inside the guest.
>> # sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
>> # sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
>> # sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
>> # sg_persist -o -n -I -S 123abc -d /dev/sda
>> # sg_persist -i -n -k -d /dev/sda
>> # sg_persist -n -o -R -T 5 -K 123abc -d /dev/sda
>> # sg_persist -n -i -r -d /dev/sda
>> # sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
>>
>> Then we can read 'sys_rawio' SElinux Denied in /var/log/audit/audit.log
>> type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for pid=30357 comm="worker" capability=17 scontext=system_u:system_r:svirt_t:s0:c72,c348 tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability
>>



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-01-24 10:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-01-24  1:32 [Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest Zhangbo (Oscar)
2019-01-24 10:26 ` Stefan Hajnoczi
2019-01-24 10:48   ` Paolo Bonzini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).