Bug 210314 - AVC denial with xen create -c
Summary: AVC denial with xen create -c
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: xen
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Xen Maintainance List
QA Contact: Martin Jenner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-11 14:44 UTC by Chris Runge
Modified: 2008-02-26 23:31 UTC (History)
3 users (show)

Fixed In Version: FC6
Clone Of:
Environment:
Last Closed: 2008-02-26 23:31:19 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Chris Runge 2006-10-11 14:44:47 UTC
Description of problem:

AVC denial when running "xm create -c rhel4" to start an already created Xen guest

type=AVC msg=audit(1160577484.431:34): avc:  denied  { read write } for 
pid=4729 comm="ifconfig" name="rhel4.dsk" dev=dm-0 ino=950274
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:xen_image_t:s0 tclass=file
type=SYSCALL msg=audit(1160577484.431:34): arch=40000003 syscall=11 success=yes
exit=0 a0=9367f10 a1=9368428 a2=9368320 a3=93681e8 items=0 ppid=4724 pid=4729
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1160577484.431:34):  path="/xen/rhel4.dsk"

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.3.18-8
xen-3.0.2-44
kernel-xen-2.6.18-1.2759.fc6

How reproducible:

100%

Steps to Reproduce:
1. Create a Xen guest
2. Start the Xen guest
  
Actual results:

avc denial; guest console does not automatically appear; must use vncviewer manually

Expected results:


Additional info:

# ls -Z /xen/rhel4.dsk 
-rwxr-xr-x  root root system_u:object_r:xen_image_t    /xen/rhel4.dsk

Comment 1 Daniel Walsh 2006-10-16 16:12:44 UTC
This is a leaked file descriptor from xen that the kernel is checking the access
allowed for the confined domain ifconfig.

Comment 3 Karl MacMillan 2007-03-29 15:45:51 UTC
Assigned back to xen component - as Dan says, this is a leaked file descriptor.

Comment 4 Daniel Berrangé 2007-03-29 15:59:22 UTC
This was fixed in a recent FC6 update:

* Tue Mar  6 2007 Daniel P. Berrange <berrange> - 3.0.3-7.fc6
- Close QEMU file handles when running network script


Please upgrade your host to xen-3.0.3-7.fc6 and re-test to confirm that you no
longer get the SELinux AVC messages.


Comment 5 Red Hat Bugzilla 2007-07-24 23:59:59 UTC
change QA contact

Comment 6 Chris Lalancette 2008-02-26 23:31:19 UTC
Since this seems to have been fixed in FC6, closing as CURRENTRELEASE


Note You need to log in before you can comment on or make changes to this bug.