Bug 208434 - xenconsole problem with targeted policy
Summary: xenconsole problem with targeted policy
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-28 15:38 UTC by Chris Runge
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-11-28 21:13:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Chris Runge 2006-09-28 15:38:30 UTC 
Description of problem:

When running "xm create -c <vm>" I get the following error:

xenconsole: Could not read tty from store: No such file or directory

and the console (fb or vnc) is not started, although the VM is

Version-Release number of selected component (if applicable):

kernel-xen-2.6.18-1.2704.el5
xen-3.0.2-39
libvirt-0.1.6-1
selinux-policy-targeted-2.3.14-6

How reproducible:

100%

Steps to Reproduce:
1. create a VM with xenguest-install
2. restart the VM with xm create -c
  
Additional info:

snippets from audit.log:

type=ANOM_PROMISCUOUS msg=audit(1159457584.800:42): dev=vif1.0 prom=256
old_prom=0 auid=4294967295
type=SYSCALL msg=audit(1159457584.800:42): arch=40000003 syscall=54 success=yes
exit=0 a0=3 a1=89a2 a2=bfebeaf0 a3=1 items=0 ppid=4798 pid=4866 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl"
exe="/usr/sbin/brctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1159457584.856:43): avc:  denied  { read write } for 
pid=4881 comm="ifconfig" name="rhnsat41.dsk" dev=dm-0 ino=10584067
scontext=system_u:system_r:ifconfig_t:s0
tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1159457584.856:43): arch=40000003 syscall=11 success=yes
exit=0 a0=95aef20 a1=95af438 a2=95af330 a3=95af1f8 items=0 ppid=4854 pid=4881
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1159457584.856:43):  path="/xen/rhnsat41.dsk"
type=ANOM_PROMISCUOUS msg=audit(1159457584.868:44): dev=tap0 prom=256 old_prom=0
auid=4294967295
type=SYSCALL msg=audit(1159457584.868:44): arch=40000003 syscall=54 success=yes
exit=0 a0=5 a1=89a2 a2=bfe54300 a3=1 items=0 ppid=4854 pid=4882 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl"
exe="/usr/sbin/brctl" subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:45): avc:  denied  { search } for  pid=4777
comm="qemu-dm" name="tmp" dev=dm-0 ino=6094849
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1159457585.676:45): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe41a0 a2=43ed9b24 a3=13 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:46): avc:  denied  { name_connect } for 
pid=4777 comm="qemu-dm" dest=6000 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1159457585.676:46): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe4180 a2=43ed9b24 a3=10 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:47): avc:  denied  { search } for  pid=4777
comm="qemu-dm" name="tmp" dev=dm-0 ino=6094849
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1159457585.676:47): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe4190 a2=43ed9b24 a3=13 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1159457585.676:48): avc:  denied  { name_connect } for 
pid=4777 comm="qemu-dm" dest=6000 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1159457585.676:48): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfbe4170 a2=43ed9b24 a3=10 items=0 ppid=2903 pid=4777
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm"
subj=system_u:system_r:xend_t:s0 key=(null)
type=ANOM_PROMISCUOUS msg=audit(1159457586.196:49): dev=tap0 prom=0 old_prom=256
auid=4294967295
Comment 1 Daniel Walsh 2006-09-28 16:10:55 UTC 
/xen/rhnsat41.dsk is labeled wrong.  It should be xen_image_t.

xend needs to connect to XServer over tcp?

Any idea what /usr/lib/xen/bin/qemu-dm is searching tmp for?
Comment 2 Chris Runge 2006-09-28 16:22:39 UTC 
restorecon -R /xen fixed the labelling, but etc_runtime_t was the label
originally given (perhaps by xenguest-install, or xen)?

I don't know the answers to your other questions.
Comment 3 Daniel Walsh 2006-09-28 18:43:54 UTC 
Fixed in selinux-policy-2.3.16-6
Comment 4 Steve Grubb 2006-10-18 21:54:25 UTC 
Adding to beta blocker since meets criteria and is already fixed.
Comment 5 RHEL Program Management 2006-10-18 22:04:31 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.
Note You need to log in before you can comment on or make changes to this bug.