Description of problem: AVC denial when running "xm create -c rhel4" to start an already created Xen guest type=AVC msg=audit(1160577484.431:34): avc: denied { read write } for pid=4729 comm="ifconfig" name="rhel4.dsk" dev=dm-0 ino=950274 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:xen_image_t:s0 tclass=file type=SYSCALL msg=audit(1160577484.431:34): arch=40000003 syscall=11 success=yes exit=0 a0=9367f10 a1=9368428 a2=9368320 a3=93681e8 items=0 ppid=4724 pid=4729 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC_PATH msg=audit(1160577484.431:34): path="/xen/rhel4.dsk" Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.18-8 xen-3.0.2-44 kernel-xen-2.6.18-1.2759.fc6 How reproducible: 100% Steps to Reproduce: 1. Create a Xen guest 2. Start the Xen guest Actual results: avc denial; guest console does not automatically appear; must use vncviewer manually Expected results: Additional info: # ls -Z /xen/rhel4.dsk -rwxr-xr-x root root system_u:object_r:xen_image_t /xen/rhel4.dsk
This is a leaked file descriptor from xen that the kernel is checking the access allowed for the confined domain ifconfig.
Assigned back to xen component - as Dan says, this is a leaked file descriptor.
This was fixed in a recent FC6 update: * Tue Mar 6 2007 Daniel P. Berrange <berrange> - 3.0.3-7.fc6 - Close QEMU file handles when running network script Please upgrade your host to xen-3.0.3-7.fc6 and re-test to confirm that you no longer get the SELinux AVC messages.
change QA contact
Since this seems to have been fixed in FC6, closing as CURRENTRELEASE