Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 210314 - AVC denial with xen create -c
AVC denial with xen create -c
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Xen Maintainance List
Martin Jenner
Depends On:
  Show dependency treegraph
Reported: 2006-10-11 10:44 EDT by Chris Runge
Modified: 2008-02-26 18:31 EST (History)
3 users (show)

See Also:
Fixed In Version: FC6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-26 18:31:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Runge 2006-10-11 10:44:47 EDT
Description of problem:

AVC denial when running "xm create -c rhel4" to start an already created Xen guest

type=AVC msg=audit(1160577484.431:34): avc:  denied  { read write } for 
pid=4729 comm="ifconfig" name="rhel4.dsk" dev=dm-0 ino=950274
tcontext=system_u:object_r:xen_image_t:s0 tclass=file
type=SYSCALL msg=audit(1160577484.431:34): arch=40000003 syscall=11 success=yes
exit=0 a0=9367f10 a1=9368428 a2=9368320 a3=93681e8 items=0 ppid=4724 pid=4729
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="ifconfig" exe="/sbin/ifconfig"
subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC_PATH msg=audit(1160577484.431:34):  path="/xen/rhel4.dsk"

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a Xen guest
2. Start the Xen guest
Actual results:

avc denial; guest console does not automatically appear; must use vncviewer manually

Expected results:

Additional info:

# ls -Z /xen/rhel4.dsk 
-rwxr-xr-x  root root system_u:object_r:xen_image_t    /xen/rhel4.dsk
Comment 1 Daniel Walsh 2006-10-16 12:12:44 EDT
This is a leaked file descriptor from xen that the kernel is checking the access
allowed for the confined domain ifconfig.
Comment 3 Karl MacMillan 2007-03-29 11:45:51 EDT
Assigned back to xen component - as Dan says, this is a leaked file descriptor.
Comment 4 Daniel Berrange 2007-03-29 11:59:22 EDT
This was fixed in a recent FC6 update:

* Tue Mar  6 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.3-7.fc6
- Close QEMU file handles when running network script

Please upgrade your host to xen-3.0.3-7.fc6 and re-test to confirm that you no
longer get the SELinux AVC messages.
Comment 5 Red Hat Bugzilla 2007-07-24 19:59:59 EDT
change QA contact
Comment 6 Chris Lalancette 2008-02-26 18:31:19 EST
Since this seems to have been fixed in FC6, closing as CURRENTRELEASE

Note You need to log in before you can comment on or make changes to this bug.