F40 s390x: SELinux breaks virsh nodedev-define

[eaibmz]

Hi,

i'm having a problem defining a pass-through DASD disk for a KVM system on F40 s390x.
And it seem to be a problem with incorrect SELinux policies.
This worked on F39 and has appeared right after F40 upgrade.

----
time->Fri May 24 10:39:58 2024
type=AVC msg=audit(1716539998.789:2451): avc:  denied  { write } for  pid=15366 comm="mdevctl" name="mdevctl.d" dev="dasda1" ino=9438325 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
----
time->Fri May 24 10:40:00 2024
type=AVC msg=audit(1716540000.769:2452): avc:  denied  { write } for  pid=15455 comm="mdevctl" name="mdevctl.d" dev="dasda1" ino=9438325 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
----

Setup instructions for DASD pass-through: https://www.ibm.com/docs/en/linux-on-z?topic=dasd-create-mediated-device

Please advise how to fix it.
Thank you.

Regards
Alex

[mhartmay]

The problem is that virtnodedevd (from the libvirt project) needs access to /etc/mdevctl.d/ for two reasons:

1. it starts mdevctl (https://github.com/mdevctl/mdevctl) to control and list mediated devices (e.g. https://gitlab.com/libvirt/libvirt/-/blob/master/src/node_device/node_device_driver.c?ref_type=heads#L824) - this is the issue reported by @eaibmz
2. it monitors /etc/mdevctl.d/ for file changes (https://gitlab.com/libvirt/libvirt/-/blob/master/src/node_device/node_device_udev.c?ref_type=heads#L2156)

What I also see on Fedora 40 (not sure whether a separate issue should be created for this):

type=AVC msg=audit(1715674489.409:248): avc:  denied  { read write } for  pid=1862 comm="virtnodedevd" name="z90crypt" dev="devtmpfs" ino=124 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1715674490.959:250): avc:  denied  { write } for  pid=1911 comm="ap-check" name="lock" dev="tmpfs" ino=27 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=0

ap-check is a so-called "callout" script of mdevctl (see https://github.com/mdevctl/mdevctl/blob/master/mdevctl.rst#call-out-event-scripts for more information).

[zpytela]

As for the original report, please try copr build in #2319 -> Checks -> rawhide/f40.

For the lock file issue, I'd like to see more information, with full auditing and in permissive mode if possible.

[eaibmz]

As for the original report, please try copr build in #2319 -> Checks -> rawhide/f40.

For the lock file issue, I'd like to see more information, with full auditing and in permissive mode if possible.

Hmm, the problem occurs on 390x arch, i'm not able to use a x86_64 copr build.

[eaibmz]

As for the original report, please try copr build in #2319 -> Checks -> rawhide/f40.
For the lock file issue, I'd like to see more information, with full auditing and in permissive mode if possible.

Hmm, the problem occurs on 390x arch, i'm not able to use a x86_64 copr build.

okay, scratch it, was able to install them with some hacks :)
testing ....

[eaibmz]

Hmm, i enabled SELinux again and it seems to work again. BUT i didn't install your changes.
Is it already upstreamed to Fedora ?

selinux-policy-40.27-1.fc40.src.rpm is currently installed.

[zpytela]

It was not even in rawhide, but I will create new builds containing the change soon to confirm if it is sufficient.