This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 213916 - Cannot dump Xen VM corefile when in enforcing mode
Cannot dump Xen VM corefile when in enforcing mode
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Xen Maintainance List
:
Depends On: 208447
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-03 14:03 EST by Stephen Tweedie
Modified: 2008-03-27 00:41 EDT (History)
1 user (show)

See Also:
Fixed In Version: 5.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-27 00:41:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Tweedie 2006-11-03 14:03:37 EST
+++ This bug was initially created as a clone of Bug #208447 +++

Description of problem:
I have a Xen paravirt guest called 'demo' running. The host system has the
targetted policy loaded, in enforcing mode. Attempting to dump a corefile of the
guest VM results in:

# xm dump-core demo demo.core
dumping core of domain:demo ...
Error: [Errno 13] Permission denied

There is nothing logged in /var/log/audit/audit.log

If, however, I disable enforcing mode 'setenforce 0', then the operation
succeeeds, and the audit logs now do contain useful info:

type=AVC msg=audit(1159461156.920:245): avc:  denied  { read write } for 
pid=6291 comm="python" name="demo.core" dev=dm-0 ino=27121766
scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1159461156.920:245): arch=c000003e syscall=2 success=yes
exit=20 a0=2aaab24a7b0c a1=42 a2=180 a3=2aaab16852e8 items=0 ppid=2645 pid=6291
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)

I am in '/root' when attempting to dump the corefile


Version-Release number of selected component (if applicable):
libselinux-1.30.28-2
libselinux-python-1.30.28-2
selinux-policy-2.3.16-2
selinux-policy-targeted-2.3.16-2
libselinux-1.30.28-2


How reproducible:
Always

Steps to Reproduce:
1. Create a Xen guest VM on a machine ruunning targetted policy, in enforcing mode
2. Login as root
3. Run 'xm dump-core <vmname>  demo.core
  
Actual results:
Permission denied

Expected results:
Dump succeeeds generating  demo.core

Additional info:
Hard to know what best course of action is here - do we change policy to either
allow Xend to generate core files anywhere on the FS, or do we force admins to
save their corefiles in a specific directory ? If the latter, we need to
document it and preferrably get 'xm dump-core' to print out some message to this
effect.

-- Additional comment from dwalsh@redhat.com on 2006-09-28 12:41 EST --
xend currently can only write to directories labeled xend_var_lib_t and
xend_var_log_t. 

/var/log/xen
/var/lib/xend
/var/lib/xen

So we can either setup a default directory /xen/core where these dups happen, or
tell users that they need to dump in one of these directories.

-- Additional comment from dwalsh@redhat.com on 2006-11-03 10:57 EST --
You should dump to /var/lib/xen/dump

-- Additional comment from sct@redhat.com on 2006-11-03 13:58 EST --
Why is this in "modified", has anything actually been fixed?  Rawhide xen still
appears to have

                corefile = "/var/xen/dump/%s-%s.%s.core" % (this_time,
                                  self.info['name'], self.domid)

in tools/python/xen/xend/XendDomainInfo.py.

Reopening.

-- Additional comment from sct@redhat.com on 2006-11-03 13:59 EST --
Reassigning to xen component.
Comment 2 Karl MacMillan 2007-03-29 11:35:36 EDT
Assigning back to xen component - the python code should be fixed rather than
allowing dumping anywhere.
Comment 3 Chris Lalancette 2007-09-26 10:12:10 EDT
Stephen,
     Has this been fixed?  It seems like it, since as far as I remember we now
dump to /var/lib/xen/dump, but I just want to make sure I'm not missing
something.  If it is fixed, we can close this out.

Chris Lalancette
Comment 4 Chris Lalancette 2008-03-27 00:41:24 EDT
Confirmed that this is fixed (and has been fixed for a while).  Closing this out
as CURRENTRELEASE.

Chris Lalancette

Note You need to log in before you can comment on or make changes to this bug.