This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 185315 - avc denied with xen0 kernel
avc denied with xen0 kernel
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
Brian Brock
:
Depends On:
Blocks: 179599
  Show dependency treegraph
 
Reported: 2006-03-13 12:27 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-25 16:38:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-03-13 12:27:59 EST
Description of problem:
Up-to-date rawhide and rebooted with /.autorelabel.

avc:  denied  { search } for  pid=678 comm="pam_console_app" name="var" dev=dm-0
ino=34817 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c255
tcontext=system_u:object_r:file_t:s0 tclass=dir
avc:  denied  { relabelto } for  pid=1396 comm="setfiles" name="null" dev=dm-2
ino=8393747 scontext=system_u:system_r:setfiles_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=chr_file
avc:  denied  { search } for  pid=2632 comm="hald" name="export" dev=dm-0
ino=110593 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir      avc:  denied  { getattr
} for  pid=2632 comm="hald" name="/" dev=dm-2 ino=16 scontext=sys
tem_u:system_r:hald_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir    
         avc:  denied  { getattr } for  pid=2632 comm="hald" name="mock"
dev=dm-2 ino=19 scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir
avc:  denied  { read write } for  pid=2749 comm="xenstored" name="console"
dev=tmpfs ino=712 scontext=system_u:system_r:xenstored_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
avc:  denied  { read write } for  pid=2752 comm="xenconsoled" name="console"
dev=tmpfs ino=712 scontext=system_u:system_r:xenconsoled_t:s0
tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
avc:  denied  { read write } for  pid=2769 comm="ip" name="[91077]" dev=sockfs
ino=91077 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket
avc:  denied  { read write } for  pid=2873 comm="dhclient-script" name="[91077]"
dev=sockfs ino=91077 scontext=system_u:system_r:dhcpc_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket
avc:  denied  { use } for  pid=2875 comm="consoletype" name="null" dev=tmpfs
ino=1157 scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=fd  avc:  denied  { use } for 
pid=2875 comm="consoletype" name="xend.log" dev=dm-4 ino=19666
5 scontext=system_u:system_r:consoletype_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=fd                                 
                                                    avc:  denied  { read write }
for  pid=2909 comm="ip" name="[91077]" dev=sockfs ino=91077
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:xend_t:s0
tclass=unix_stream_socket                                                      
                    avc:  denied  { read write } for  pid=2945 comm="ifconfig"
name="[91077]" dev=sockfs ino=
91077 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket                 
                                                   avc:  denied  { read write }
for  pid=2985 comm="iwconfig" name="[91077]" dev=sockfs ino=
91077 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket                 
                                                   avc:  denied  { read write }
for  pid=2987 comm="ethtool" name="[91077]" dev=sockfs ino=9
1077 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket                 
                                                    avc:  denied  { read write }
for  pid=2993 comm="mii-tool" name="[91077]" dev=sockfs ino=
91077 scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=unix_stream_socket                 
                                                   

# mount
/dev/mapper/rootvg-root on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/mapper/rootvg-data1 on /export/data1 type ext3 (rw)
/dev/mapper/rootvg-scratch on /scratch type xfs (rw)
/dev/mapper/rootvg-usr on /usr type ext3 (rw)
/dev/mapper/rootvg-var on /var type ext3 (rw)
tmpfs on /tmp type tmpfs (rw)
/scratch/mock on /var/lib/mock type none (rw,bind)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
automount(pid2046) on /net type autofs (rw,fd=4,pgrp=2046,minproto=2,maxproto=4)
automount(pid2109) on /fs type autofs (rw,fd=4,pgrp=2109,minproto=2,maxproto=4)
automount(pid2174) on /opt type autofs (rw,fd=4,pgrp=2174,minproto=2,maxproto=4)
automount(pid2245) on /data type autofs (rw,fd=4,pgrp=2245,minproto=2,maxproto=4)
automount(pid2323) on /home type autofs (rw,fd=4,pgrp=2323,minproto=2,maxproto=4)
automount(pid2403) on /data4 type autofs (rw,fd=4,pgrp=2403,minproto=2,maxproto=4)
earth:/export/local on /opt/local type nfs
(rw,intr,rsize=8192,wsize=8192,addr=192.168.0.8)
saga:/export/data1 on /data/sw1 type nfs
(rw,intr,rsize=8192,wsize=8192,addr=192.168.0.12)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.23-15
Comment 1 Daniel Walsh 2006-03-13 12:58:10 EST
These are known leaks of the xend application
Comment 2 Jeremy Katz 2006-09-25 16:38:00 EDT
Current rawhide tools + policy seem to be okay

Note You need to log in before you can comment on or make changes to this bug.