Bug 210314 – AVC denial with xen create -c

Bug 210314 - AVC denial with xen create -c

Summary:	AVC denial with xen create -c

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	xen (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Xen Maintainance List
QA Contact:	Martin Jenner
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-10-11 10:44 EDT by Chris Runge
Modified:	2008-02-26 18:31 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	FC6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-02-26 18:31:19 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Chris Runge 2006-10-11 10:44:47 EDT

Description of problem:

AVC denial when running "xm create -c rhel4" to start an already created Xen guest

type=AVC msg=audit(1160577484.431:34): avc:  denied  { read write } for 
pid=4729 comm="ifconfig" name="rhel4.dsk" dev=dm-0 ino=950274
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:xen_image_t:s0 tclass=file
type=SYSCALL msg=audit(1160577484.431:34): arch=40000003 syscall=11 success=yes
exit=0 a0=9367f10 a1=9368428 a2=9368320 a3=93681e8 items=0 ppid=4724 pid=4729
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1160577484.431:34):  path="/xen/rhel4.dsk"

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.3.18-8
xen-3.0.2-44
kernel-xen-2.6.18-1.2759.fc6

How reproducible:

100%

Steps to Reproduce:
1. Create a Xen guest
2. Start the Xen guest
  
Actual results:

avc denial; guest console does not automatically appear; must use vncviewer manually

Expected results:


Additional info:

# ls -Z /xen/rhel4.dsk 
-rwxr-xr-x  root root system_u:object_r:xen_image_t    /xen/rhel4.dsk

Comment 1 Daniel Walsh 2006-10-16 12:12:44 EDT

This is a leaked file descriptor from xen that the kernel is checking the access
allowed for the confined domain ifconfig.

Comment 3 Karl MacMillan 2007-03-29 11:45:51 EDT

Assigned back to xen component - as Dan says, this is a leaked file descriptor.

Comment 4 Daniel Berrange 2007-03-29 11:59:22 EDT

This was fixed in a recent FC6 update:

* Tue Mar  6 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.3-7.fc6
- Close QEMU file handles when running network script


Please upgrade your host to xen-3.0.3-7.fc6 and re-test to confirm that you no
longer get the SELinux AVC messages.

Comment 5 Red Hat Bugzilla 2007-07-24 19:59:59 EDT

change QA contact

Comment 6 Chris Lalancette 2008-02-26 18:31:19 EST

Since this seems to have been fixed in FC6, closing as CURRENTRELEASE

Note You need to log in before you can comment on or make changes to this bug.