Bug 215002 - SELinux denial when doing Xen live migrate
SELinux denial when doing Xen live migrate
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-10 10:42 EST by Chris Lalancette
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: beta2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-22 21:29:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Lalancette 2006-11-10 10:42:18 EST
Description of problem:
When trying to live migrate a system (to localhost, in this case), the SELinux
policy prevents it.  I'm currently testing on kernel 2.6.18-1.2746.el5xen, xen
package 3.0.3-6.el5, selinux policy 2.4.3-6.el5.

How reproducible:
Always

Steps to Reproduce:
1.  Start up a paravirt xen domain.
2.  Run "xm migrate -l <dom> localhost"
  
Actual results:
Migrate fails, with the following message:

[root@lore ~]# xm migrate -l rhel5-file localhost
Error: can't connect: Permission denied
Usage: xm migrate <Domain> <Host>

Migrate a domain to another machine.

Options:

-h, --help           Print this help.
-l, --live           Use live migration.
-p=portnum, --port=portnum
                     Use specified port for migration.
-r=MBIT, --resource=MBIT
                     Set level of resource usage for migration.

[root@lore ~]# uname -a

Also, the following is printed in /var/log/audit/audit.log:

type=AVC msg=audit(1163172919.592:182): avc:  denied  { name_connect } for 
pid=10045 comm="python" dest=8002 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:xen_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1163172919.592:182): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=b3f82370 a2=235118 a3=0 items=0 ppid=2660 pid=10045
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)

Expected results:
Migration completes successfully.
Comment 1 Daniel Walsh 2006-11-10 13:40:50 EST
Fixed in selinux-policy-2.4.3-10
Comment 2 RHEL Product and Program Management 2006-12-06 16:31:24 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Stephen Tweedie 2006-12-07 13:02:53 EST
Looks like RHEL5 has picked up the new policy; can you reproduce the original
problem?
Comment 4 RHEL Product and Program Management 2006-12-22 21:29:31 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.