Bug 239572

Summary: blktapctrl dies if creation of /var/run/tap/tapctrlread1 fails
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: xenAssignee: Richard W.M. Jones <rjones>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: bstein, katzj, triage
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-09 09:06:34 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Richard W.M. Jones 2007-05-09 11:37:19 EDT
Description of problem:

If creation of /var/run/tap/tapctrlread1 fails, then the blktapctrl process
itself dies.  The consequence of this is that any further attempts to create
domains cause the domains to not be able to see any of their tap disks.

I discovered this as a side-effect of bug 239449.

Version-Release number of selected component (if applicable):


How reproducible:

Always on my test machine.

Steps to Reproduce:

1. Boot machine either with setenforce Enforcing (or change SELinux to Enforcing
after boot).  Notice that blktapctrl process is running as you would expect.

2. Use virt-manager to create a new domain.  Use a disk image for storage.  This
will fail (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239449#c2) - and
you should see that blktapctrl process has now disappeared.

3. Change SELinux to Permissive and use virt-manager to create another domain. 
Again, use a disk image for storage.
Actual results:

The second install in step 3 will fail because the domain will be unable to see
its disk.

Expected results:

Domain should be able to see its disk, or virt-manager should produce an error
because blktapctrl is unavailable.

Additional info:

Rebooting or running service xend restart fixes the problem by restarting

AVC failure (NB: only the first one because Enforcing):

audit(1178723555.374:16): avc:  denied  { create } for  pid=2981
comm="blktapctrl" name="tapctrlread1" scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=fifo_file

audit2allow on the above:

#============= xend_t ==============
allow xend_t var_run_t:fifo_file create;
Comment 1 Richard W.M. Jones 2007-11-19 10:37:50 EST
Change status to NEEDINFO of me - I need to check if this
still happens with current SELinux policy.
Comment 2 Bug Zapper 2008-04-03 20:37:13 EDT
Based on the date this bug was created, it appears to have been reported
against rawhide during the development of a Fedora release that is no
longer maintained. In order to refocus our efforts as a project we are
flagging all of the open bugs for releases which are no longer
maintained. If this bug remains in NEEDINFO thirty (30) days from now,
we will automatically close it.

If you can reproduce this bug in a maintained Fedora version (7, 8, or
rawhide), please change this bug to the respective version and change
the status to ASSIGNED. (If you're unable to change the bug's version
or status, add a comment to the bug and someone will change it for you.)

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we're following is outlined here:

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 3 Richard W.M. Jones 2008-04-04 06:11:36 EDT
I checked the SELinux policy but it doesn't look like it
contains the correct rule to fix this.  However need to
retest when I get my machine back to Xen.

Assigning this back to me.
Comment 4 Bug Zapper 2008-05-13 22:53:00 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 5 Richard W.M. Jones 2008-09-09 09:06:34 EDT
Very old bug with very little interest, so closing WONTFIX.