Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 210314 - AVC denial with xen create -c
AVC denial with xen create -c
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Xen Maintainance List
Martin Jenner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-11 10:44 EDT by Chris Runge
Modified: 2008-02-26 18:31 EST (History)
3 users (show)

See Also:
Fixed In Version: FC6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 18:31:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Chris Runge 2006-10-11 10:44:47 EDT 
Description of problem:

AVC denial when running "xm create -c rhel4" to start an already created Xen guest

type=AVC msg=audit(1160577484.431:34): avc:  denied  { read write } for 
pid=4729 comm="ifconfig" name="rhel4.dsk" dev=dm-0 ino=950274
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:xen_image_t:s0 tclass=file
type=SYSCALL msg=audit(1160577484.431:34): arch=40000003 syscall=11 success=yes
exit=0 a0=9367f10 a1=9368428 a2=9368320 a3=93681e8 items=0 ppid=4724 pid=4729
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1160577484.431:34):  path="/xen/rhel4.dsk"

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.3.18-8
xen-3.0.2-44
kernel-xen-2.6.18-1.2759.fc6

How reproducible:

100%

Steps to Reproduce:
1. Create a Xen guest
2. Start the Xen guest
  
Actual results:

avc denial; guest console does not automatically appear; must use vncviewer manually

Expected results:


Additional info:

# ls -Z /xen/rhel4.dsk 
-rwxr-xr-x  root root system_u:object_r:xen_image_t    /xen/rhel4.dsk
Comment 1 Daniel Walsh 2006-10-16 12:12:44 EDT 
This is a leaked file descriptor from xen that the kernel is checking the access
allowed for the confined domain ifconfig.
Comment 3 Karl MacMillan 2007-03-29 11:45:51 EDT 
Assigned back to xen component - as Dan says, this is a leaked file descriptor.
Comment 4 Daniel Berrange 2007-03-29 11:59:22 EDT 
This was fixed in a recent FC6 update:

* Tue Mar  6 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.3-7.fc6
- Close QEMU file handles when running network script


Please upgrade your host to xen-3.0.3-7.fc6 and re-test to confirm that you no
longer get the SELinux AVC messages.
Comment 5 Red Hat Bugzilla 2007-07-24 19:59:59 EDT 
change QA contact
Comment 6 Chris Lalancette 2008-02-26 18:31:19 EST 
Since this seems to have been fixed in FC6, closing as CURRENTRELEASE
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.