214827 – Xen FV installs cannot read ISO images beneath an autofs mount point

Bug 214827 - Xen FV installs cannot read ISO images beneath an autofs mount point

Summary: Xen FV installs cannot read ISO images beneath an autofs mount point

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-11-09 17:21 UTC by Stephen Tweedie
Modified:	2007-11-30 22:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:	beta2
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-12-23 02:22:24 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stephen Tweedie 2006-11-09 17:21:32 UTC

Description of problem:
Trying to create a Xen domain with "xm create" using a boot.iso underneath an
autofs mount point fails with AVC denials.

Version-Release number of selected component (if applicable):
xen-3.0.3-8.el5
kernel-xen-2.6.18-1.2746.el5
selinux-policy-targeted-2.4.3-6.el5

How reproducible:
100%

Steps to Reproduce:
1. Run "xm create" with a xen config file specifying a cdrom on an autofs mount
point, ie. something like ---

disk = [ 'phy:/dev/spectre/xentmp2,hda,w',
'file:/net/nfshost/redhat/rhel5/x86_64/images/boot.iso,hdc:cdrom,r', ]

Actual results:
# xm create -c xentmp2
Using config file "/etc/xen/xentmp2".
Error: Disk image does not exist:
/mnt/m1/disk/new/redhat/rhel5/x86_64/images/boot.iso
# aureport -a
...
395. 11/09/2006 04:51:22 PM python system_u:system_r:xend_t:s0 4 dir search
system_u:object_r:autofs_t:s0 denied 49
396. 11/09/2006 04:51:26 PM python system_u:system_r:xend_t:s0 4 dir search
system_u:object_r:autofs_t:s0 denied 50


Expected results:
Xen guest should be created, install should proceed.

Additional info:
Using a direct NFS mount rather than autofs seems to work fine.

Comment 1 Daniel Walsh 2006-11-09 19:47:56 UTC

Fixed in selinux-policy-2.4.3-8

Comment 2 Stephen Tweedie 2006-11-09 21:05:04 UTC

Gets a little further, then fails with:

399. 11/09/2006 08:39:50 PM python system_u:system_r:xend_t:s0 4 dir read
system_u:object_r:autofs_t:s0 denied 86

Comment 3 Daniel Walsh 2006-11-10 13:08:30 UTC

Stephen can you run in permissive mode and grab all the avc messages?

Comment 4 Daniel Walsh 2006-11-10 22:20:24 UTC

Fixed in selinux-policy-2.4.3-10.el5

Comment 6 RHEL Program Management 2006-12-23 02:22:24 UTC

A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.