Bug 184425
| Summary: | xend + selinux can hard lock | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Brian Brock <bbrock> |
| Component: | selinux-policy | Assignee: | Russell Coker <rcoker> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 2.2.29-6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-04-11 10:58:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 179599 | ||
More fixes coming in selinux-policy-targeted-2.2.23-8 I believe that this is fixed in selinux-policy-targeted-2.2.29-6. |
starting xen with selinux enabled can hard-lock a system. kernel-xen0-2.6.15-1.2032_FC5 xen-3.0.1-3 libselinux-1.29.7-1.2 libselinux-python-1.29.7-1.2 selinux-policy-2.2.23-6 selinux-policy-targeted-2.2.23-6 audit-libs-python-1.1.5-1 audit-libs-1.1.5-1 1. enable selinux 1. create, or download, an xen guest image into /root. 2. create a configuration file for the xen guest image in /root 3. start xend $ service xend start System is now hung, doesn't accept network traffic or keyboard input. Needs power-cycling to be useful again. Here's manually-copied console output (that doesn't make it to serial console): audit(timestamp): avc: denied { create } for pid=2388 comm="xenstored" name="xen" scontext=root:system_r:xenstored_t:s0 tcontext=root:object_r:xen_device_t:s0 tclass=dir audit(timestamp): avc: denied { read write } for pid=2406 comm="ip" name="[11700]" dev=sockfs ino=11700 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:xend_t:s0 tclass=unix_stream_socket completely reproducible disabling selinux avoids the problem. Expected results: System doesn't hardlock when selinux contraints are violated.