mhartmay
commented
1 month ago The problem is that virtnodedevd (from the libvirt project) needs access to /etc/mdevctl.d/ for two reasons:
- it starts
mdevctl(https://github.com/mdevctl/mdevctl) to control and list mediated devices (e.g. https://gitlab.com/libvirt/libvirt/-/blob/master/src/node_device/node_device_driver.c?ref_type=heads#L824) - this is the issue reported by @eaibmz - it monitors
/etc/mdevctl.d/for file changes (https://gitlab.com/libvirt/libvirt/-/blob/master/src/node_device/node_device_udev.c?ref_type=heads#L2156)
What I also see on Fedora 40 (not sure whether a separate issue should be created for this):
type=AVC msg=audit(1715674489.409:248): avc: denied { read write } for pid=1862 comm="virtnodedevd" name="z90crypt" dev="devtmpfs" ino=124 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1715674490.959:250): avc: denied { write } for pid=1911 comm="ap-check" name="lock" dev="tmpfs" ino=27 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=0ap-check is a so-called "callout" script of mdevctl (see https://github.com/mdevctl/mdevctl/blob/master/mdevctl.rst#call-out-event-scripts for more information).
Hi,
i'm having a problem defining a pass-through DASD disk for a KVM system on F40 s390x. And it seem to be a problem with incorrect SELinux policies. This worked on F39 and has appeared right after F40 upgrade.
Setup instructions for DASD pass-through: https://www.ibm.com/docs/en/linux-on-z?topic=dasd-create-mediated-device
Please advise how to fix it. Thank you.
Regards Alex