Bug 222687

Summary: SELinux errors when starting Xen domain
Product: [Fedora] Fedora Reporter: Adam Huffman <bloch>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: bstein, djuran, katzj
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: xen-3.0.3-8.fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-02 13:03:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 234166    
Attachments:
Description Flags
Error report via setroubleshoot none

Description Adam Huffman 2007-01-15 18:45:15 UTC 
Description of problem:
Whenever I start a Xen domain created using virt-install, there are SELinux denials.

Version-Release number of selected component (if applicable):
net-tools-1.60-73

How reproducible:
Every time

Steps to Reproduce:
1. Start a Xen domain
2.
3.
  
Actual results:
SELinux denials reported (I'm in permissive mode at the moment, until these
problems are resolved)

Expected results:
Domain starts normally

Additional info:
Comment 1 Adam Huffman 2007-01-15 18:45:15 UTC 
Created attachment 145604 [details]
Error report via setroubleshoot
Comment 2 Daniel Walsh 2007-01-15 20:14:00 UTC 
Did this actually block something from working?  If you try this in enforcing
mode do you see errors?  This looks like xen is leaking an open descriptor to
the xen_image_t file.  There is no reason ifconfig should ever need to
read/write this disk image.  I believe this should work in enforcing mode.
Comment 3 Adam Huffman 2007-01-16 19:04:25 UTC 
Yes, there are errors when running in enforcing mode, though things do appear to
be working.
Comment 4 Daniel Berrangé 2007-03-27 15:25:56 UTC 
QEMU was leaking file handles to the networking scripts which caused SELinux
errors. This was fixed in Xen 3.0.3-7.fc6

* Tue Mar  6 2007 Daniel P. Berrange <berrange> - 3.0.3-7.fc6
- Ensure PVFB daemon terminates if domain doesn't startup (bz 230634)
- Fix ia64 shadow page table mode
- Close QEMU file handles when running network script

Please upgrade & confirm that the errors went away.
Comment 5 David Juran 2007-04-02 08:32:00 UTC 
Yes, this indeed seems to be fixed in xen-3.0.3-8.fc6 (-: