Bug 214827 - Xen FV installs cannot read ISO images beneath an autofs mount point
Xen FV installs cannot read ISO images beneath an autofs mount point
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-09 12:21 EST by Stephen Tweedie
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-22 21:22:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Tweedie 2006-11-09 12:21:32 EST
Description of problem:
Trying to create a Xen domain with "xm create" using a boot.iso underneath an
autofs mount point fails with AVC denials.

Version-Release number of selected component (if applicable):
xen-3.0.3-8.el5
kernel-xen-2.6.18-1.2746.el5
selinux-policy-targeted-2.4.3-6.el5

How reproducible:
100%

Steps to Reproduce:
1. Run "xm create" with a xen config file specifying a cdrom on an autofs mount
point, ie. something like ---

disk = [ 'phy:/dev/spectre/xentmp2,hda,w',
'file:/net/nfshost/redhat/rhel5/x86_64/images/boot.iso,hdc:cdrom,r', ]

Actual results:
# xm create -c xentmp2
Using config file "/etc/xen/xentmp2".
Error: Disk image does not exist:
/mnt/m1/disk/new/redhat/rhel5/x86_64/images/boot.iso
# aureport -a
...
395. 11/09/2006 04:51:22 PM python system_u:system_r:xend_t:s0 4 dir search
system_u:object_r:autofs_t:s0 denied 49
396. 11/09/2006 04:51:26 PM python system_u:system_r:xend_t:s0 4 dir search
system_u:object_r:autofs_t:s0 denied 50


Expected results:
Xen guest should be created, install should proceed.

Additional info:
Using a direct NFS mount rather than autofs seems to work fine.
Comment 1 Daniel Walsh 2006-11-09 14:47:56 EST
Fixed in selinux-policy-2.4.3-8
Comment 2 Stephen Tweedie 2006-11-09 16:05:04 EST
Gets a little further, then fails with:

399. 11/09/2006 08:39:50 PM python system_u:system_r:xend_t:s0 4 dir read
system_u:object_r:autofs_t:s0 denied 86

Comment 3 Daniel Walsh 2006-11-10 08:08:30 EST
Stephen can you run in permissive mode and grab all the avc messages?
Comment 4 Daniel Walsh 2006-11-10 17:20:24 EST
Fixed in selinux-policy-2.4.3-10.el5
Comment 6 RHEL Product and Program Management 2006-12-22 21:22:24 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.