From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: [root@thyrsus-laptop ~]# ls -l /var/local/cdata -rwx------ 1 root root 2097152000 Jun 16 23:37 /var/local/cdata [root@thyrsus-laptop ~]# lsmod Module Size Used by blowfish 9153 0 cryptoloop 3521 0 loop 18121 1 cryptoloop radeon 76609 1 drm 70101 2 radeon parport_pc 28933 1 lp 13001 0 parport 40585 2 parport_pc,lp autofs4 29253 2 rfcomm 42333 0 l2cap 30661 5 rfcomm bluetooth 56133 4 rfcomm,l2cap sunrpc 167813 1 pcmcia 29025 2 ipt_REJECT 5569 1 ipt_state 1857 2 ip_conntrack 41497 1 ipt_state iptable_filter 2881 1 ip_tables 19521 3 ipt_REJECT,ipt_state,iptable_filter video 15941 0 button 6609 0 battery 9413 0 ac 4805 0 md5 4033 1 ipv6 268097 10 ohci1394 41353 0 ieee1394 304441 1 ohci1394 yenta_socket 21449 1 rsrc_nonstatic 12737 1 yenta_socket pcmcia_core 50909 3 pcmcia,yenta_socket,rsrc_nonstatic ohci_hcd 26849 0 shpchp 94405 0 i2c_ali1535 7365 0 i2c_core 21569 1 i2c_ali1535 snd_ali5451 28933 1 snd_ac97_codec 75961 1 snd_ali5451 snd_seq_dummy 3653 0 snd_seq_oss 37057 0 snd_seq_midi_event 9153 1 snd_seq_oss snd_seq 62289 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event snd_seq_device 8781 3 snd_seq_dummy,snd_seq_oss,snd_seq snd_pcm_oss 51185 0 snd_mixer_oss 17857 1 snd_pcm_oss snd_pcm 100169 3 snd_ali5451,snd_ac97_codec,snd_pcm_oss snd_timer 33605 2 snd_seq,snd_pcm snd 57157 11 snd_ali5451,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer soundcore 10913 1 snd snd_page_alloc 9669 1 snd_pcm natsemi 34849 0 floppy 65269 0 joydev 9601 0 dm_snapshot 17413 0 dm_zero 2113 0 dm_mirror 26029 0 ext3 132553 2 jbd 86233 1 ext3 dm_mod 58101 6 dm_snapshot,dm_zero,dm_mirror [root@thyrsus-laptop ~]# /sbin/losetup -e blowfish /dev/loop0 /var/local/cdata /var/local/cdata: Permission denied Version-Release number of selected component (if applicable): util-linux-2.12p-9.3; selinux-policy-targeted-1.23.16-6 How reproducible: Always Steps to Reproduce: 1. [root@thyrsus-laptop ~]# ls -l /var/local/cdata -rwx------ 1 root root 2097152000 Jun 16 23:37 /var/local/cdata 2. [root@thyrsus-laptop ~]# lsmod # blowfish, cryptoloop, loop modules loaded Module Size Used by blowfish 9153 0 cryptoloop 3521 0 loop 18121 1 cryptoloop radeon 76609 1 drm 70101 2 radeon parport_pc 28933 1 lp 13001 0 parport 40585 2 parport_pc,lp autofs4 29253 2 rfcomm 42333 0 l2cap 30661 5 rfcomm bluetooth 56133 4 rfcomm,l2cap sunrpc 167813 1 pcmcia 29025 2 ipt_REJECT 5569 1 ipt_state 1857 2 ip_conntrack 41497 1 ipt_state iptable_filter 2881 1 ip_tables 19521 3 ipt_REJECT,ipt_state,iptable_filter video 15941 0 button 6609 0 battery 9413 0 ac 4805 0 md5 4033 1 ipv6 268097 10 ohci1394 41353 0 ieee1394 304441 1 ohci1394 yenta_socket 21449 1 rsrc_nonstatic 12737 1 yenta_socket pcmcia_core 50909 3 pcmcia,yenta_socket,rsrc_nonstatic ohci_hcd 26849 0 shpchp 94405 0 i2c_ali1535 7365 0 i2c_core 21569 1 i2c_ali1535 snd_ali5451 28933 1 snd_ac97_codec 75961 1 snd_ali5451 snd_seq_dummy 3653 0 snd_seq_oss 37057 0 snd_seq_midi_event 9153 1 snd_seq_oss snd_seq 62289 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event snd_seq_device 8781 3 snd_seq_dummy,snd_seq_oss,snd_seq snd_pcm_oss 51185 0 snd_mixer_oss 17857 1 snd_pcm_oss snd_pcm 100169 3 snd_ali5451,snd_ac97_codec,snd_pcm_oss snd_timer 33605 2 snd_seq,snd_pcm snd 57157 11 snd_ali5451,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer soundcore 10913 1 snd snd_page_alloc 9669 1 snd_pcm natsemi 34849 0 floppy 65269 0 joydev 9601 0 dm_snapshot 17413 0 dm_zero 2113 0 dm_mirror 26029 0 ext3 132553 2 jbd 86233 1 ext3 dm_mod 58101 6 dm_snapshot,dm_zero,dm_mirror 3. [root@thyrsus-laptop ~]# /sbin/losetup -e blowfish /dev/loop0 /var/local/cdata /var/local/cdata: Permission denied Actual Results: /var/local/cdata: Permission denied Expected Results: Password: (prompt for password) Additional info: This worked in Fedora Core 2 and Fedora Core 3; if I had to bet, I'd put money on it being a problem with the default (targeted, right?) SELinux configuration. However, there are no messages corresponding to the event in /var/log/messages, where, at least at one point, SELinux audit messages were sent. If there is some sort of logging I can turn on, I'll be happy to do so. An strace of the losetup process contains the line: open("/var/local/cdata", O_RDWR|O_LARGEFILE) = -1 EACCES (Permission denied)
I can confirm this bug. Upgraded from FC3 to FC4 and have to "setenforce 0" since for loopback mounts. I have moved the image file around the filesystem and did setfiles /etc/selinux/targeted/contexts/files/file_contexts $imagefile but it did not help. Tried to find a valid security context ("chcon") for the image file but failed. Always got something like avc: denied ... comm="losetup" ... scontext=root:system_r:fsadm_t tcontext=... tclass=file Using FC4, 2.6.11-1.1369_FC4xen0, util-linux-2.12p-9.5 , selinux-policy-targeted-1.23.16-6
Bug #160859 is a duplicate of this. It has a good summary line.
xen does not work on image files because of this bug. "xm create" fails when xend tries to assing a /dev/loop* to the imagefile. But when i do setenforce 0 losetup /dev/loop0 /home/xen/domain1-rootfs setenforce 1 xm create domain1 it works.
An upgrade to selinux-policy-targeted-1.23.18-12 resolved this issue for me. Now i can do "losetup" and "mount -o loop" again. Unfortunately, xen's "xm create" still does not work. Will open xen bug entry for this.
See bug #161195.
I ran up2date last night, bringing in selinux-policy-targeted-1.23.18-12, and this is working as I'd like. I'd be happy to see this declared resolved. The form would seem to allow me to do that, but I'm not familiar enough with the QA requirements to feel comfortable doing that. I haven't (yet) tried xen.
Thanks for your feedback.