Bug 501983
Summary: | AVC when saving qemu domains | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Enrico Scholz <rh-bugzilla> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 11 | CC: | berrange, dwalsh, mgrepl, michael.ansel, remslaptop |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-11-18 13:09:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Enrico Scholz
2009-05-21 13:48:51 UTC
I can allow the execution of this, but I believe we are going to have a hard time with isolation here. What exactly is qemu saving? Is it rewriting an image file? If you put the machine or svirt_t in to permissive mode what do all of the avc's look like? Urgh. This is an example of why the QEMU save capability is really evil. QEMU removed the old built-in 'save to file' capability, and todo this now you have to use their migrate API, telling it to exec 'dd of=/path/to/save'. We really need the build-in 'save to file' capability to come back so we can stop exec'ing bash, and dd for this purpose. Ok I have duplicated this on my machine. Looks like libvirt creates a file and tells qemu to append to the file. So I don't have to give great privs to make this work. Fixed in selinux-policy-3.6.12-40.fc11.noarch Image does stop running when I tell it to save which seems wrong though. I think that stopping the virtual machine is expected. 'savevm' stores memory + processor content (at least, accordingly its documentation); keeping the machine alive might modify harddisk content and there might be a conflict when restored machine sees old processor/memory but new harddisk content. This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping I've also duplicated this on my machine, Fedora 11, 64-bit, SE Linux=enforcing. This occurs with any save. I've done a recent update to my system. Daniel, I see your comment (#3 above) and I still have this problem, even though: [root@fedora-11-sys ~]# rpm -qa | grep selinux-policy selinux-policy-targeted-3.6.12-78.fc11.noarch selinux-policy-3.6.12-78.fc11.noarch |