Bug 234166 - QEMU file descriptor leak causes SELinux errors when starting HVM domain
Summary: QEMU file descriptor leak causes SELinux errors when starting HVM domain
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Xen Maintainance List
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On: 222687
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-27 15:30 UTC by Daniel Berrange
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHEA-2007-0635
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 17:10:13 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Close file handles before running network scripts (1.38 KB, patch)
2007-03-27 15:32 UTC, Daniel Berrange
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2007:0635 normal SHIPPED_LIVE xen enhancement update 2007-10-30 15:49:02 UTC

Description Daniel Berrange 2007-03-27 15:30:28 UTC
+++ This bug was initially created as a clone of Bug #222687 +++

Description of problem:
Whenever I start a Xen domain created using virt-install, there are SELinux denials.

Version-Release number of selected component (if applicable):
net-tools-1.60-73

How reproducible:
Every time

Steps to Reproduce:
1. Start a Xen domain
2.
3.
  
Actual results:
SELinux denials reported (I'm in permissive mode at the moment, until these
problems are resolved)

Expected results:
Domain starts normally

Additional info:

-- Additional comment from bloch@verdurin.com on 2007-01-15 13:45 EST --
Created an attachment (id=145604)
Error report via setroubleshoot


-- Additional comment from dwalsh@redhat.com on 2007-01-15 15:14 EST --
Did this actually block something from working?  If you try this in enforcing
mode do you see errors?  This looks like xen is leaking an open descriptor to
the xen_image_t file.  There is no reason ifconfig should ever need to
read/write this disk image.  I believe this should work in enforcing mode.

-- Additional comment from bloch@verdurin.com on 2007-01-16 14:04 EST --
Yes, there are errors when running in enforcing mode, though things do appear to
be working.

-- Additional comment from berrange@redhat.com on 2007-03-27 11:25 EST --
QEMU was leaking file handles to the networking scripts which caused SELinux
errors. This was fixed in Xen 3.0.3-7.fc6

* Tue Mar  6 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.3-7.fc6
- Ensure PVFB daemon terminates if domain doesn't startup (bz 230634)
- Fix ia64 shadow page table mode
- Close QEMU file handles when running network script

Please upgrade & confirm that the errors went away.

Comment 1 Daniel Berrange 2007-03-27 15:32:18 UTC
Created attachment 151040 [details]
Close file handles before running network scripts

This is the patch applied upstream & to Fedora to fix QEMU filehandle leak

Comment 2 RHEL Product and Program Management 2007-03-27 15:43:57 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 4 Daniel Berrange 2007-06-14 14:49:45 UTC
Built into dist-5E-qu-candidate as xen-3.0.3-27.el5


* Thu Jun 14 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.3-27.el5
- Update low level (non-XenD) userspace to work with 3.1.0 hypervisor
(rhbz#243462, rhbz#234166, rhbz#230790)

Comment 7 errata-xmlrpc 2007-11-07 17:10:13 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0635.html



Note You need to log in before you can comment on or make changes to this bug.