This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes

Bug 208447

Summary: Cannot dump Xen VM corefile when in enforcing mode
Product: [Fedora] Fedora Reporter: Daniel Berrange <berrange>
Component: xenAssignee: Daniel Berrange <berrange>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.0.3-2.fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-15 14:11:19 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 213916    

Description Daniel Berrange 2006-09-28 12:31:46 EDT
Description of problem:
I have a Xen paravirt guest called 'demo' running. The host system has the
targetted policy loaded, in enforcing mode. Attempting to dump a corefile of the
guest VM results in:

# xm dump-core demo demo.core
dumping core of domain:demo ...
Error: [Errno 13] Permission denied

There is nothing logged in /var/log/audit/audit.log

If, however, I disable enforcing mode 'setenforce 0', then the operation
succeeeds, and the audit logs now do contain useful info:

type=AVC msg=audit(1159461156.920:245): avc:  denied  { read write } for 
pid=6291 comm="python" name="demo.core" dev=dm-0 ino=27121766
scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1159461156.920:245): arch=c000003e syscall=2 success=yes
exit=20 a0=2aaab24a7b0c a1=42 a2=180 a3=2aaab16852e8 items=0 ppid=2645 pid=6291
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)

I am in '/root' when attempting to dump the corefile


Version-Release number of selected component (if applicable):
libselinux-1.30.28-2
libselinux-python-1.30.28-2
selinux-policy-2.3.16-2
selinux-policy-targeted-2.3.16-2
libselinux-1.30.28-2


How reproducible:
Always

Steps to Reproduce:
1. Create a Xen guest VM on a machine ruunning targetted policy, in enforcing mode
2. Login as root
3. Run 'xm dump-core <vmname>  demo.core
  
Actual results:
Permission denied

Expected results:
Dump succeeeds generating  demo.core

Additional info:
Hard to know what best course of action is here - do we change policy to either
allow Xend to generate core files anywhere on the FS, or do we force admins to
save their corefiles in a specific directory ? If the latter, we need to
document it and preferrably get 'xm dump-core' to print out some message to this
effect.
Comment 1 Daniel Walsh 2006-09-28 12:41:54 EDT
xend currently can only write to directories labeled xend_var_lib_t and
xend_var_log_t. 

/var/log/xen
/var/lib/xend
/var/lib/xen

So we can either setup a default directory /xen/core where these dups happen, or
tell users that they need to dump in one of these directories.
Comment 2 Daniel Walsh 2006-11-03 10:57:54 EST
You should dump to /var/lib/xen/dump
Comment 3 Stephen Tweedie 2006-11-03 13:58:40 EST
Why is this in "modified", has anything actually been fixed?  Rawhide xen still
appears to have

                corefile = "/var/xen/dump/%s-%s.%s.core" % (this_time,
                                  self.info['name'], self.domid)

in tools/python/xen/xend/XendDomainInfo.py.

Reopening.
Comment 4 Stephen Tweedie 2006-11-03 13:59:30 EST
Reassigning to xen component.
Comment 5 Daniel Berrange 2007-02-15 14:11:19 EST
Already pushed out in update xen-3.0.3-2.fc6