234166 – QEMU file descriptor leak causes SELinux errors when starting HVM domain

Bug 234166 - QEMU file descriptor leak causes SELinux errors when starting HVM domain

Summary: QEMU file descriptor leak causes SELinux errors when starting HVM domain

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	xen
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Xen Maintainance List
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	222687
Blocks:
TreeView+	depends on / blocked

Reported:	2007-03-27 15:30 UTC by Daniel Berrangé
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:	RHEA-2007-0635
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-07 17:10:13 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Close file handles before running network scripts (1.38 KB, patch) 2007-03-27 15:32 UTC, Daniel Berrangé	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2007:0635	0	normal	SHIPPED_LIVE	xen enhancement update	2007-10-30 15:49:02 UTC

Description Daniel Berrangé 2007-03-27 15:30:28 UTC

+++ This bug was initially created as a clone of Bug #222687 +++

Description of problem:
Whenever I start a Xen domain created using virt-install, there are SELinux denials.

Version-Release number of selected component (if applicable):
net-tools-1.60-73

How reproducible:
Every time

Steps to Reproduce:
1. Start a Xen domain
2.
3.
  
Actual results:
SELinux denials reported (I'm in permissive mode at the moment, until these
problems are resolved)

Expected results:
Domain starts normally

Additional info:

-- Additional comment from bloch on 2007-01-15 13:45 EST --
Created an attachment (id=145604)
Error report via setroubleshoot


-- Additional comment from dwalsh on 2007-01-15 15:14 EST --
Did this actually block something from working?  If you try this in enforcing
mode do you see errors?  This looks like xen is leaking an open descriptor to
the xen_image_t file.  There is no reason ifconfig should ever need to
read/write this disk image.  I believe this should work in enforcing mode.

-- Additional comment from bloch on 2007-01-16 14:04 EST --
Yes, there are errors when running in enforcing mode, though things do appear to
be working.

-- Additional comment from berrange on 2007-03-27 11:25 EST --
QEMU was leaking file handles to the networking scripts which caused SELinux
errors. This was fixed in Xen 3.0.3-7.fc6

* Tue Mar  6 2007 Daniel P. Berrange <berrange> - 3.0.3-7.fc6
- Ensure PVFB daemon terminates if domain doesn't startup (bz 230634)
- Fix ia64 shadow page table mode
- Close QEMU file handles when running network script

Please upgrade & confirm that the errors went away.

Comment 1 Daniel Berrangé 2007-03-27 15:32:18 UTC

Created attachment 151040 [details]
Close file handles before running network scripts

This is the patch applied upstream & to Fedora to fix QEMU filehandle leak

Comment 2 RHEL Program Management 2007-03-27 15:43:57 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Daniel Berrangé 2007-06-14 14:49:45 UTC

Built into dist-5E-qu-candidate as xen-3.0.3-27.el5


* Thu Jun 14 2007 Daniel P. Berrange <berrange> - 3.0.3-27.el5
- Update low level (non-XenD) userspace to work with 3.1.0 hypervisor
(rhbz#243462, rhbz#234166, rhbz#230790)

Comment 7 errata-xmlrpc 2007-11-07 17:10:13 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0635.html

Note You need to log in before you can comment on or make changes to this bug.