Description of problem: QEMU opens the virtual disks before it sets up networking. Unfortunately it is not setting the close-on-exec flag for the file handles associated with the virtual disk. So when it runs /etc/xen/qemu-ifup the file handles for the virtual disks get propagated into the networking scripts - ifconfig /brctl run as a different SELinux domain, so we see AVC denials about the leaked file handles. These AVCs don't (apparently) cause any hard failure, but this is none-the-less a bug that should be resolved. Version-Release number of selected component (if applicable): xen-3.0.3-25.el5 How reproducible: Always Steps to Reproduce: 1. setenforce 0 2. Edit /etc/xen/qemu-ifup and add in: ls -l /proc/$$/fd/ >> /tmp/files.txt 3. Start an HVM guest 4. Look in /tmp/files.txt Actual results: There are file handles open for each virtual disk associated with the HVM guest There are also AVC denials in the audit logs Expected results: There are no file handles open for the virtual disks Additional info:
Created attachment 149154 [details] Set the close-on-exec flag The attached patch modifies all the various disk driver backends in QEMU to ensure the close-on-exec flag is turned on. This prevents disk file descriptors propagating to the networking scripts.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Built into dist-5E-qu-candidate as xen-3.0.3-27.el5 * Thu Jun 14 2007 Daniel P. Berrange <berrange> - 3.0.3-27.el5 - Update low level (non-XenD) userspace to work with 3.1.0 hypervisor (rhbz#243462, rhbz#234166, rhbz#230790)
*** Bug 240342 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2007-0635.html