Red Hat Bugzilla – Bug 213916
Cannot dump Xen VM corefile when in enforcing mode
Last modified: 2008-03-27 00:41:24 EDT
+++ This bug was initially created as a clone of Bug #208447 +++ Description of problem: I have a Xen paravirt guest called 'demo' running. The host system has the targetted policy loaded, in enforcing mode. Attempting to dump a corefile of the guest VM results in: # xm dump-core demo demo.core dumping core of domain:demo ... Error: [Errno 13] Permission denied There is nothing logged in /var/log/audit/audit.log If, however, I disable enforcing mode 'setenforce 0', then the operation succeeeds, and the audit logs now do contain useful info: type=AVC msg=audit(1159461156.920:245): avc: denied { read write } for pid=6291 comm="python" name="demo.core" dev=dm-0 ino=27121766 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1159461156.920:245): arch=c000003e syscall=2 success=yes exit=20 a0=2aaab24a7b0c a1=42 a2=180 a3=2aaab16852e8 items=0 ppid=2645 pid=6291 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null) I am in '/root' when attempting to dump the corefile Version-Release number of selected component (if applicable): libselinux-1.30.28-2 libselinux-python-1.30.28-2 selinux-policy-2.3.16-2 selinux-policy-targeted-2.3.16-2 libselinux-1.30.28-2 How reproducible: Always Steps to Reproduce: 1. Create a Xen guest VM on a machine ruunning targetted policy, in enforcing mode 2. Login as root 3. Run 'xm dump-core <vmname> demo.core Actual results: Permission denied Expected results: Dump succeeeds generating demo.core Additional info: Hard to know what best course of action is here - do we change policy to either allow Xend to generate core files anywhere on the FS, or do we force admins to save their corefiles in a specific directory ? If the latter, we need to document it and preferrably get 'xm dump-core' to print out some message to this effect. -- Additional comment from dwalsh@redhat.com on 2006-09-28 12:41 EST -- xend currently can only write to directories labeled xend_var_lib_t and xend_var_log_t. /var/log/xen /var/lib/xend /var/lib/xen So we can either setup a default directory /xen/core where these dups happen, or tell users that they need to dump in one of these directories. -- Additional comment from dwalsh@redhat.com on 2006-11-03 10:57 EST -- You should dump to /var/lib/xen/dump -- Additional comment from sct@redhat.com on 2006-11-03 13:58 EST -- Why is this in "modified", has anything actually been fixed? Rawhide xen still appears to have corefile = "/var/xen/dump/%s-%s.%s.core" % (this_time, self.info['name'], self.domid) in tools/python/xen/xend/XendDomainInfo.py. Reopening. -- Additional comment from sct@redhat.com on 2006-11-03 13:59 EST -- Reassigning to xen component.
Assigning back to xen component - the python code should be fixed rather than allowing dumping anywhere.
Stephen, Has this been fixed? It seems like it, since as far as I remember we now dump to /var/lib/xen/dump, but I just want to make sure I'm not missing something. If it is fixed, we can close this out. Chris Lalancette
Confirmed that this is fixed (and has been fixed for a while). Closing this out as CURRENTRELEASE. Chris Lalancette