Bug 240342
Summary: | ifconfig denied access to storage device on xen guest creation | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Chris Evich <cevich> | ||||||
Component: | xen | Assignee: | Xen Maintainance List <xen-maint> | ||||||
Status: | CLOSED DUPLICATE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 5.0 | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2007-07-16 20:42:03 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Chris Evich
2007-05-16 16:30:25 UTC
Created attachment 154841 [details]
Wrapper script to run strace against /sbin/ifconfig.real
Created attachment 154842 [details]
Trace of ifconfig made using the attached wrapper.
Had to relabel the wrapper script, but using it did produce the same AVC denial
warning.
Does this cause the xen guest to fail? Or are you just seeing an AVC message? As far as I can tell the guest starts up and runs fine. It cannot access the network since dom0's iptables rh-firewall-1 is up, but that's another bug (vif-common.sh appends rule instead of inserting it at top). So, the only thing I'm being bothered with is the AVC message. What really concerns me isn't the xen stuff here, it's the fact that ifconfig is trying to access the block device in the first place. Not sure if this is an ifconfig problem or a xm/xen problem. This is a leaked file descriptor from xen. xen has an open file descriptor to the fixed device and when it execs the ifconfig script, the program transitions to the other domain. When an SELinux kernel starts to transition and executable, it checks the access of all open file descriptors, in this case generating avc messages. The kernel then closes the file descriptors and continues with the execution. So this is really a xen problem. |