Bug 208434

Summary: xenconsole problem with targeted policy
Product: Red Hat Enterprise Linux 5 Reporter: Chris Runge <crunge>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-28 21:13:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Runge 2006-09-28 15:38:30 UTC 
Description of problem:

When running "xm create -c <vm>" I get the following error:

xenconsole: Could not read tty from store: No such file or directory

and the console (fb or vnc) is not started, although the VM is

Version-Release number of selected component (if applicable):

kernel-xen-2.6.18-1.2704.el5
xen-3.0.2-39
libvirt-0.1.6-1
selinux-policy-targeted-2.3.14-6

How reproducible:

100%

Steps to Reproduce:
1. create a VM with xenguest-install
2. restart the VM with xm create -c
  
Additional info:

snippets from audit.log:

type=ANOM_PROMISCUOUS msg=audit(1159457584.800:42): dev=vif1.0 prom=256
old_prom=0 auid=4294967295
type=SYSCALL msg=audit(1159457584.800:42): arch=40000003 syscall=54 success=yes
exit=0 a0=3 a1=89a2 a2=bfebeaf0 a3=1 items=0 ppid=4798 pid=4866 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl"
exe="/usr/sbin/brctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1159457584.856:43): avc:  denied  { read write } for 
pid=4881 comm="ifconfig" name="rhnsat41.dsk" dev=dm-0 ino=10584067
scontext=system_u:system_r:ifconfig_t:s0
tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1159457584.856:43): arch=40000003 syscall=11 success=yes
exit=0 a0=95aef20 a1=95af438 a2=95af330 a3=95af1f8 items=0 ppid=4854 pid=4881
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1159457584.856:43):  path="/xen/rhnsat41.dsk"
type=ANOM_PROMISCUOUS msg=audit(1159457584.868:44): dev=tap0 prom=256 old_prom=0
auid=4294967295
type=SYSCALL msg=audit(1159457584.868:44): arch=40000003 syscall=54 success=yes
exit=0 a0=5 a1=89a2 a2=bfe54300 a3=1 items=0 ppid=4854 pid=4882 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl"
exe="/usr/sbin/brctl" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:45): avc:  denied  { search } for  pid=4777
comm="qemu-dm" name="tmp" dev=dm-0 ino=6094849
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1159457585.676:45): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe41a0 a2=43ed9b24 a3=13 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:46): avc:  denied  { name_connect } for 
pid=4777 comm="qemu-dm" dest=6000 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1159457585.676:46): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe4180 a2=43ed9b24 a3=10 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:47): avc:  denied  { search } for  pid=4777
comm="qemu-dm" name="tmp" dev=dm-0 ino=6094849
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1159457585.676:47): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe4190 a2=43ed9b24 a3=13 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:48): avc:  denied  { name_connect } for 
pid=4777 comm="qemu-dm" dest=6000 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1159457585.676:48): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe4170 a2=43ed9b24 a3=10 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1159457586.196:49): dev=tap0 prom=0 old_prom=256
auid=4294967295
Comment 1 Daniel Walsh 2006-09-28 16:10:55 UTC 
/xen/rhnsat41.dsk is labeled wrong.  It should be xen_image_t.

xend needs to connect to XServer over tcp?

Any idea what /usr/lib/xen/bin/qemu-dm is searching tmp for?
Comment 2 Chris Runge 2006-09-28 16:22:39 UTC 
restorecon -R /xen fixed the labelling, but etc_runtime_t was the label
originally given (perhaps by xenguest-install, or xen)?

I don't know the answers to your other questions.
Comment 3 Daniel Walsh 2006-09-28 18:43:54 UTC 
Fixed in selinux-policy-2.3.16-6
Comment 4 Steve Grubb 2006-10-18 21:54:25 UTC 
Adding to beta blocker since meets criteria and is already fixed.
Comment 5 RHEL Program Management 2006-10-18 22:04:31 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.