Bug 185336 - Xend breaks due to AVC denials when running a guest off a physical block device
Xend breaks due to AVC denials when running a guest off a physical block device
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
Depends On:
Blocks: 179599
  Show dependency treegraph
Reported: 2006-03-13 15:16 EST by Stephen Tweedie
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-22 10:14:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Tweedie 2006-03-13 15:16:22 EST
Description of problem:
When a xen guest is built on top of a physical/logical disk device (ie.
"phy:/dev/$foo" in the xen config) instead of a virtual disk image file (ie.
"file:$file"), then domain reboot breaks xen completely: the xend server is
rendered inoperable until it is manually restarted.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. xm create -c $GUEST (where $GUEST uses a phy: virtual device)
2. "/sbin/reboot -f" from within the guest
3. "xm list" to attempt to talk to the xen daemon
Actual results:
Guest says "restarting system" and then hangs;
subseqent attempts to talk to xend fail, with (eg)
# xm list
  File "/usr/lib64/python2.4/site-packages/xen/xend/XendProtocol.py", line 138,
in handleException
    raise err
xen.xend.XendProtocol.XendError: Disk isn't accessible

and the audit logs show:
type=AVC msg=audit(1142281223.433:98): avc:  denied  { read } for  pid=3899
comm="python" name="frag-guest64--1" dev=tmpfs ino=878
tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

Expected results:
Guest should reboot, xend should not break.
Comment 2 James Antill 2006-07-14 12:53:53 EDT
 This should be fixed with the latest policy/xen packages.
Comment 4 Daniel Walsh 2007-08-22 10:14:10 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.