This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 210314

Summary: AVC denial with xen create -c
Product: [Fedora] Fedora Reporter: Chris Runge <crunge>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: bstein, katzj, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: FC6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-26 18:31:19 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Chris Runge 2006-10-11 10:44:47 EDT
Description of problem:

AVC denial when running "xm create -c rhel4" to start an already created Xen guest

type=AVC msg=audit(1160577484.431:34): avc:  denied  { read write } for 
pid=4729 comm="ifconfig" name="rhel4.dsk" dev=dm-0 ino=950274
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:xen_image_t:s0 tclass=file
type=SYSCALL msg=audit(1160577484.431:34): arch=40000003 syscall=11 success=yes
exit=0 a0=9367f10 a1=9368428 a2=9368320 a3=93681e8 items=0 ppid=4724 pid=4729
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1160577484.431:34):  path="/xen/rhel4.dsk"

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.3.18-8
xen-3.0.2-44
kernel-xen-2.6.18-1.2759.fc6

How reproducible:

100%

Steps to Reproduce:
1. Create a Xen guest
2. Start the Xen guest
  
Actual results:

avc denial; guest console does not automatically appear; must use vncviewer manually

Expected results:


Additional info:

# ls -Z /xen/rhel4.dsk 
-rwxr-xr-x  root root system_u:object_r:xen_image_t    /xen/rhel4.dsk
Comment 1 Daniel Walsh 2006-10-16 12:12:44 EDT
This is a leaked file descriptor from xen that the kernel is checking the access
allowed for the confined domain ifconfig.
Comment 3 Karl MacMillan 2007-03-29 11:45:51 EDT
Assigned back to xen component - as Dan says, this is a leaked file descriptor.
Comment 4 Daniel Berrange 2007-03-29 11:59:22 EDT
This was fixed in a recent FC6 update:

* Tue Mar  6 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.3-7.fc6
- Close QEMU file handles when running network script


Please upgrade your host to xen-3.0.3-7.fc6 and re-test to confirm that you no
longer get the SELinux AVC messages.
Comment 5 Red Hat Bugzilla 2007-07-24 19:59:59 EDT
change QA contact
Comment 6 Chris Lalancette 2008-02-26 18:31:19 EST
Since this seems to have been fixed in FC6, closing as CURRENTRELEASE