-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
F40: Creation of debugfs entries in QAT driver blocked after starting qat service in QATlib #2312
Comments
@gcabiddu Can you share AVC denials? |
@zpytela Is this sufficient?
I don't see any reference to debugfs. |
selinux-policy-targeted-40.27-1.fc40.noarch should have fixed majority of the denials, can you ensure you are showing only those after update? For these, I'd like to have some more information. type=AVC msg=audit(1723218438.213:294): avc: denied { search } for pid=3379 comm="lspci" name=".cache" dev="nvme0n1p3" ino=151671 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1723218438.812:303): avc: denied { connectto } for pid=3562 comm="chown" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=1 |
@zpytela this is what I see with selinux-policy-targeted-40.27-1.fc40.noarch. BTW. I don't see anything indicating debugfs. In the driver I see that when SElinux is enabled, the function that creates the debugfs entries returns -13 (-EPERM).
|
@zpytela do you need anything else on this? Thanks! |
Can you try copr build from #2355 -> Checks? |
I tried the build from copr. Now I don't see the |
If you switch the mode to permissive, do you see any change? setenforce 0 |
Tried again. If I switch to permissive mode, I see that the entries in debugfs are successfully created. |
If there are no new avc denials, please remove dontaudit rules: |
Here is the log:
|
The commit addresses the following AVC denial: type=AVC msg=audit(19/09/24 10:36:25.585:1092) : avc: denied { search } for pid=9727 comm=qat_init.sh name=qat_4xxx_0000:e8:00.0 dev="debugfs" ino=98915 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=1 Resolves: fedora-selinux#2312
Thank you, please try now the updated coprbuild. Removing the kernel module is probably required for a full reproducer. |
Tested with the copr build - it works. Thank you very much for your support. |
Can you please ensure the module update is sufficient in selinux enforcing mode and after reboot? |
Confirmed. Tested also after reboot. Also no avc denials in the audit log. |
Thanks for your cooperation. |
In Fedora 40 with any kernel version it has been noticed that most of the debugfs entries for the QAT driver are not present after starting the qat service.
The debugfs folder reports only the key dev_cfg which is created at the startup of the driver.
This is caused by SELinux blocking the creation of debugfs entries in the driver. If SELinux is in permissive mode or disabled, this issue does not occur.
Expected:
Actual:
The text was updated successfully, but these errors were encountered: