Bug 213916 - Cannot dump Xen VM corefile when in enforcing mode
Summary: Cannot dump Xen VM corefile when in enforcing mode
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Xen Maintainance List
QA Contact:
URL:
Whiteboard:
Depends On: 208447
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-03 19:03 UTC by Stephen Tweedie
Modified: 2008-03-27 04:41 UTC (History)
1 user (show)

Fixed In Version: 5.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-27 04:41:24 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Stephen Tweedie 2006-11-03 19:03:37 UTC
+++ This bug was initially created as a clone of Bug #208447 +++

Description of problem:
I have a Xen paravirt guest called 'demo' running. The host system has the
targetted policy loaded, in enforcing mode. Attempting to dump a corefile of the
guest VM results in:

# xm dump-core demo demo.core
dumping core of domain:demo ...
Error: [Errno 13] Permission denied

There is nothing logged in /var/log/audit/audit.log

If, however, I disable enforcing mode 'setenforce 0', then the operation
succeeeds, and the audit logs now do contain useful info:

type=AVC msg=audit(1159461156.920:245): avc:  denied  { read write } for 
pid=6291 comm="python" name="demo.core" dev=dm-0 ino=27121766
scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1159461156.920:245): arch=c000003e syscall=2 success=yes
exit=20 a0=2aaab24a7b0c a1=42 a2=180 a3=2aaab16852e8 items=0 ppid=2645 pid=6291
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)

I am in '/root' when attempting to dump the corefile


Version-Release number of selected component (if applicable):
libselinux-1.30.28-2
libselinux-python-1.30.28-2
selinux-policy-2.3.16-2
selinux-policy-targeted-2.3.16-2
libselinux-1.30.28-2


How reproducible:
Always

Steps to Reproduce:
1. Create a Xen guest VM on a machine ruunning targetted policy, in enforcing mode
2. Login as root
3. Run 'xm dump-core <vmname>  demo.core
  
Actual results:
Permission denied

Expected results:
Dump succeeeds generating  demo.core

Additional info:
Hard to know what best course of action is here - do we change policy to either
allow Xend to generate core files anywhere on the FS, or do we force admins to
save their corefiles in a specific directory ? If the latter, we need to
document it and preferrably get 'xm dump-core' to print out some message to this
effect.

-- Additional comment from dwalsh on 2006-09-28 12:41 EST --
xend currently can only write to directories labeled xend_var_lib_t and
xend_var_log_t. 

/var/log/xen
/var/lib/xend
/var/lib/xen

So we can either setup a default directory /xen/core where these dups happen, or
tell users that they need to dump in one of these directories.

-- Additional comment from dwalsh on 2006-11-03 10:57 EST --
You should dump to /var/lib/xen/dump

-- Additional comment from sct on 2006-11-03 13:58 EST --
Why is this in "modified", has anything actually been fixed?  Rawhide xen still
appears to have

                corefile = "/var/xen/dump/%s-%s.%s.core" % (this_time,
                                  self.info['name'], self.domid)

in tools/python/xen/xend/XendDomainInfo.py.

Reopening.

-- Additional comment from sct on 2006-11-03 13:59 EST --
Reassigning to xen component.

Comment 2 Karl MacMillan 2007-03-29 15:35:36 UTC
Assigning back to xen component - the python code should be fixed rather than
allowing dumping anywhere.

Comment 3 Chris Lalancette 2007-09-26 14:12:10 UTC
Stephen,
     Has this been fixed?  It seems like it, since as far as I remember we now
dump to /var/lib/xen/dump, but I just want to make sure I'm not missing
something.  If it is fixed, we can close this out.

Chris Lalancette

Comment 4 Chris Lalancette 2008-03-27 04:41:24 UTC
Confirmed that this is fixed (and has been fixed for a while).  Closing this out
as CURRENTRELEASE.

Chris Lalancette


Note You need to log in before you can comment on or make changes to this bug.