Bug 188222 - xen policy doesn't allow dom0 to run domU kernels
xen policy doesn't allow dom0 to run domU kernels
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-07 03:14 EDT by James Antill
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.2.38-1.FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-09 12:47:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Antill 2006-04-07 03:14:42 EDT
Description of problem:
 If you install FC5+xen, keeping selinux turned on and try to run xen kernels
without pygrub (Eg. from jailtime.org) ... you get the message:

Error: Error creating domain: Kernel image does not exist:
/boot/vmlinuz-2.6.15-1.33_FC5guest

...this is because of these AVC messages:

audit(1144393234.651:70): avc:  denied  { search } for  pid=2490 comm="python"
name="/" dev=hda1 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
audit(1144393234.651:71): avc:  denied  { getattr } for  pid=2490 comm="python"
name="vmlinuz-2.6.16-1.2080_FC5xenU" dev=hda1 ino=6053
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:boot_t:s0
tclass=file
audit(1144393234.659:72): avc:  denied  { read } for  pid=2490 comm="python"
name="vmlinuz-2.6.16-1.2080_FC5xenU" dev=hda1 ino=6053
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:boot_t:s0
tclass=file

...I'm making this high severity because as a Red Hat employee I spent _hours_
trying to work out why our Xen install didn't work with other people's Xen
images (assuming it was a Xen problem) and spoke with several RH people who
probably all think I'm on crack (and are presumably running without selinux
*sigh*) ... at the end I happened to look at dmesg for some other reason and saw
the audit messages.

Version-Release number of selected component (if applicable):
% rpm -q kernel-xen0 selinux-policy-targeted
kernel-xen0-2.6.16-1.2080_FC5
selinux-policy-targeted-2.2.25-2.fc5
Comment 3 Daniel Walsh 2006-05-09 11:44:10 EDT
fixed in selinux-policy-2.2.38-1.FC5.
Comment 4 James Antill 2006-05-09 12:47:30 EDT
 I'll close this, although given that you hit BZ#184393 immediately it's still
kind of broken :).

Note You need to log in before you can comment on or make changes to this bug.