Bug 452765
| Summary: | SELinux is preventing iptables (iptables_t) "read write" to /proc/xen/privcmd | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Martin Jürgens <ma> |
| Component: | xen | Assignee: | Xen Maintainance List <xen-maint> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.2 | CC: | clalance, djuran, dwalsh, mrezanin, sghosh, xen-maint |
| Target Milestone: | rc | ||
| Target Release: | 5.6 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-10-20 11:15:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 514500 | ||
Reassigning to selinux-policy-targeted This is not a selinux-policy problem This is a leaked file descriptor in xen. iptables is not looking at /proc/xen/privcmd, xend is and is leaking this when it executes iptables. It should close fd's when it executes other apps. fcntl(fd, F_SETFD, FD_CLOEXEC); Martin You can write custom policy to make this error disappear by executing # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Hi Martin, can you write down some situation when message apperas? I'm not able to reproduce it. sorry. cant remember. using kvm now :( As there's no know scenario for this problem closing this bz. If you reproduce it feel free to reopen it. |
Description of problem: I have a Xen guest running. Sometimes, this SELinux warning appears: Quellkontext system_u:system_r:iptables_t Zielkontext system_u:object_r:proc_xen_t Zielobjekte /proc/xen/privcmd [ file ] Source iptables Source Path /sbin/iptables Port <Unbekannt> Host 85-10-1xx-51.clients.your-server.de Source RPM Packages iptables-1.3.5-4.el5 Target RPM Packages RPM-Richtlinie selinux-policy-2.4.6-137.el5 SELinux aktiviert True Richtlinienversion targeted MLS aktiviert True Enforcing-Modus Enforcing Plugin-Name catchall_file Hostname 85-10-1xx-51.clients.your-server.de Plattform Linux 85-10-1xx-51.clients.your-server.de 2.6.18-92.1.1.el5xen #1 SMP Sat Jun 21 19:21:20 EDT 2008 x86_64 x86_64 Anzahl der Alarme 62 Zuerst gesehen Di 24 Jun 2008 18:03:49 CEST Zuletzt gesehen Di 24 Jun 2008 23:29:05 CEST Lokale ID 1c22a36f-58ad-4a29-9a94-c7e01f11d8e6 Zeilennummern Raw-Audit-Meldungen host=85-10-1xx-51.clients.your-server.de type=AVC msg=audit(1214342945.590:153): avc: denied { read write } for pid=8880 comm="iptables" path="/proc/xen/privcmd" dev=proc ino=4026533346 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=file host=85-10-1xx-51.clients.your-server.de type=AVC msg=audit(1214342945.590:153): avc: denied { read write } for pid=8880 comm="iptables" path="/proc/xen/privcmd" dev=proc ino=4026533346 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:proc_xen_t:s0 tclass=file host=85-10-1xx-51.clients.your-server.de type=SYSCALL msg=audit(1214342945.590:153): arch=c000003e syscall=59 success=yes exit=0 a0=2e7c170 a1=2e7bd90 a2=7fffe86c0440 a3=0 items=0 ppid=2307 pid=8880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)