[Qemu-devel] 'sys_rawio' selinux alarm triggered while doing SCSI reservation inside the guest

Wed, 23 Jan 2019 18:26:00 -0800 

When performing SCSI reservation inside the guest, 'sys_rawio' selinux alarm is 
triggered, shown as below:
"type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for 
pid=30357 comm="worker" capability=17 
scontext=system_u:system_r:svirt_t:s0:c72,c348 
tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability"

It's quite possible that the *ioctl SG_IO * caused this problem.
Is it a design flaw in qemu? Ioctl SG_IO seems too privileged for qemu?

Here comes the possible solutions:
  possible solution 1: Add an selinux policy boolean to allow the 'sys_rawio' 
action, which suggests that this scenario is not a problem/design flaw indeed.
  possible solution 2: reconstruct the SCSI-related action scheme inside qemu? 
such as letting libvirtd to accomplish such SG_IO job.
Or, otherwise, any other solutions can you suggest? Thanks!


reproduction:
libvirt version: lastest
qemu version: lastest
selinux mode: Permissive
service auditd status: active(running)

step 1. Configure scsi disk for vm in xml.
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</controller>
<disk type='block' device='lun' rawio='yes'>
<driver name='qemu' type='raw' cache='none' io='native'/>
<source dev='/dev/sdo'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>

step 2. Define and start vm.
The type of guest OS is not the key. here is centos-7.4

step 3. Perform SCSI reservation command inside the guest.
# sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
# sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda
# sg_persist -o -n -I -K 123abc -S 0 -d /dev/sda
# sg_persist -o -n -I -S 123abc -d /dev/sda
# sg_persist -i -n -k -d /dev/sda
# sg_persist -n -o -R -T 5 -K 123abc -d /dev/sda
# sg_persist -n -i -r -d /dev/sda
# sg_persist -n -o -L -K 123abc -T 5 -d /dev/sda

Then we can read 'sys_rawio' SElinux Denied in /var/log/audit/audit.log
type=AVC msg=audit(1548231520.416:8086): avc: denied { sys_rawio } for 
pid=30357 comm="worker" capability=17 
scontext=system_u:system_r:svirt_t:s0:c72,c348 
tcontext=system_u:system_r:svirt_t:s0:c72,c348 tclass=capability

Reply via email to