Bug 221283

Summary: selinux prevents xm dump-core from working
Product: [Fedora] Fedora Reporter: Jeff Layton <jlayton>
Component: xenAssignee: Rik van Riel <riel>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: clalance, steved
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xen-3.0.3-3.fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-15 19:14:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Layton 2007-01-03 15:44:35 UTC 
While troubleshooting a problem with the rhel4 xenU kernel, I found that I
couldn't get a coredump from the xenU domain on my fc6 dom0. When I did a
"setenforce 0" I was able to get it to work.

The following avc messages were logged:

Jan  3 10:19:41 dantu kernel: audit(1167837581.876:58): avc:  denied  { write }
for  pid=28891 comm="python" name="dump" dev=dm-2 ino=983042
scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Jan  3 10:19:41 dantu kernel: audit(1167837581.876:59): avc:  denied  { add_name
} for  pid=28891 comm="python" name="2007-0103-1019.41-rhel4.17.core"
scontext=user_u:system_r:xend_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
Jan  3 10:19:41 dantu kernel: audit(1167837581.876:60): avc:  denied  { create }
for  pid=28891 comm="python" name="2007-0103-1019.41-rhel4.17.core"
scontext=user_u:system_r:xend_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
Jan  3 10:19:41 dantu kernel: audit(1167837581.888:61): avc:  denied  { write }
for  pid=28891 comm="python" name="2007-0103-1019.41-rhel4.17.core" dev=dm-2
ino=983043 scontext=user_u:system_r:xend_t:s0 tcontext=user_u:object_r:var_t:s0
tclass=file
Comment 1 Jeff Layton 2007-01-03 15:47:11 UTC 
I have:

kernel-xen-2.6.18-1.2869.fc6
selinux-policy-targeted-2.4.6-13.fc6
xen-3.0.3-1.fc6

Let me know if you need other info.
Comment 2 Daniel Walsh 2007-01-03 21:41:52 UTC 
You should be dumping under /var/lib/xen

You are not allowed to dump elsewhere unless you label it xen_lib_t
Comment 3 Jeff Layton 2007-01-03 21:44:32 UTC 
Then xm dump-core is borked and this should be reassigned to that since it's
hardcoded to dump to the wrong location.
Comment 4 Daniel Berrangé 2007-01-11 20:49:44 UTC 
The updated RPM  xen-3.0.3-3.fc6  just pushed to updates-testing has moved the
core dump directory to /var/lib/xen/dumps. This should resolve the AVC denial issue.