Bug 499551

Summary: AVC denial from virsh dominfo - libvirtd (virtd_t) "getattr" svirt_t.
Product: [Fedora] Fedora Reporter: Charles Rose <charles_rose>
Component: libvirtAssignee: Daniel Veillard <veillard>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: berrange, clalance, crobinso, dwalsh, itamar, markmc, veillard, virt-maint, wwlinuxengineering
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-07 10:25:29 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 480594    
Attachments:
Description Flags
SELinux alert message none

Description Charles Rose 2009-05-07 02:50:58 EDT
Created attachment 342776 [details]
SELinux alert message

Description of problem:
Running:

  # virsh dominfo vfedora11

Id:             5
Name:           vfedora11
UUID:           b364fa20-349e-e604-94b5-40ca98952b04
OS Type:        hvm
State:          running
CPU(s):         1
CPU time:       10.9s
Max memory:     524288 kB
Used memory:    524288 kB
Autostart:      disable
Security model: selinux
Security DOI:   0
Security label: system_u:system_r:svirt_t:s0:c413,c668 (enforcing)

shows the domaininfo, but also results in an AVC denial:

SELinux is preventing libvirtd (virtd_t) "getattr" svirt_t.

Version-Release number of selected component (if applicable):
libvirt-0.6.2-4.f11.x86_64
selinux-policy-targetted-3.6.12-28.fc11.noarch

How reproducible:
Occurs the first three times "virsh dominfo" is run. Restarting libvirtd and running "virsh dominfo" causes the issue to happen again.

Steps to Reproduce:
1. Install Fedora Rawhide (7 May) with libvirt
2. Create a fedora 11 beta vm.
3. Run
       # virsh dominfo vfedora11
  
Actual results:
virsh shows the domain info

Expected results:
virsh shows the domain info, but an SELinux alert is seen.

Additional info:
SELinux alert attached.
Comment 1 Mark McLoughlin 2009-05-07 03:04:22 EDT
Could be from looking at /proc/$pid/stat ?
Comment 2 Daniel Walsh 2009-05-07 10:25:29 EDT
Fixed in selinux-policy-3.6.12-31.fc11.noarch