Bug 188222 - xen policy doesn't allow dom0 to run domU kernels
Summary: xen policy doesn't allow dom0 to run domU kernels
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-07 07:14 UTC by James Antill
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-05-09 16:47:30 UTC


Attachments (Terms of Use)

Description James Antill 2006-04-07 07:14:42 UTC
Description of problem:
 If you install FC5+xen, keeping selinux turned on and try to run xen kernels
without pygrub (Eg. from jailtime.org) ... you get the message:

Error: Error creating domain: Kernel image does not exist:
/boot/vmlinuz-2.6.15-1.33_FC5guest

...this is because of these AVC messages:

audit(1144393234.651:70): avc:  denied  { search } for  pid=2490 comm="python"
name="/" dev=hda1 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
audit(1144393234.651:71): avc:  denied  { getattr } for  pid=2490 comm="python"
name="vmlinuz-2.6.16-1.2080_FC5xenU" dev=hda1 ino=6053
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:boot_t:s0
tclass=file
audit(1144393234.659:72): avc:  denied  { read } for  pid=2490 comm="python"
name="vmlinuz-2.6.16-1.2080_FC5xenU" dev=hda1 ino=6053
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:boot_t:s0
tclass=file

...I'm making this high severity because as a Red Hat employee I spent _hours_
trying to work out why our Xen install didn't work with other people's Xen
images (assuming it was a Xen problem) and spoke with several RH people who
probably all think I'm on crack (and are presumably running without selinux
*sigh*) ... at the end I happened to look at dmesg for some other reason and saw
the audit messages.

Version-Release number of selected component (if applicable):
% rpm -q kernel-xen0 selinux-policy-targeted
kernel-xen0-2.6.16-1.2080_FC5
selinux-policy-targeted-2.2.25-2.fc5

Comment 3 Daniel Walsh 2006-05-09 15:44:10 UTC
fixed in selinux-policy-2.2.38-1.FC5.

Comment 4 James Antill 2006-05-09 16:47:30 UTC
 I'll close this, although given that you hit BZ#184393 immediately it's still
kind of broken :).



Note You need to log in before you can comment on or make changes to this bug.