Bug 243091 - SELinux is preventing /usr/sbin/blktapctrl (xend_t) "create" to tap (var_run_t).
SELinux is preventing /usr/sbin/blktapctrl (xend_t) "create" to tap (var_run_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-07 05:28 EDT by Truong Xuan Tinh
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:08:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Truong Xuan Tinh 2007-06-07 05:28:03 EDT
Description of problem:
SELinux denied access requested by /usr/sbin/blktapctrl. It is not expected that
this access is required by /usr/sbin/blktapctrl and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a new Virtual machine using Virtual Machine Manager
2. System Name: CentOS5
3. Virtualized Method:Paravirtualized
4. Install Media URL : /media/SCSI0_VOL1/Linux_Distros/CentOS-5.0-x86_64-bin-DVD.iso
5. Simple File (/home/tinh/xen/CentOS5)with Allocate entire disk now check (6GB)
6. Virtual Network (default)
7. VM Max Memory: 512MB, VM Startup Memory: 512 MB, VCPUs: 2
8. 
  
Actual results:


Expected results:


Additional info:
Source Context:  system_u:system_r:xend_tTarget
Context:  system_u:object_r:var_run_tTarget Objects:  tap [ dir ]Affected RPM
Packages:  xen-3.1.0-0.rc7.1.fc7 [application]Policy
RPM:  selinux-policy-2.6.4-13.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.20-2925.9.fc7xen #1 SMP Tue May 22 09:29:36 EDT 2007 x86_64 x86_64Alert
Count:  1First Seen:  Thu 07 Jun 2007 04:07:00 PM ICTLast Seen:  Thu 07 Jun 2007
04:07:00 PM ICTLocal ID:  934b71c8-b8d8-4a03-9178-034d395e54d2Line Numbers:  Raw
Audit Messages :avc: denied { create } for comm="blktapctrl" egid=0 euid=0
exe="/usr/sbin/blktapctrl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="tap"
pid=3065 scontext=system_u:system_r:xend_t:s0 sgid=0
subj=system_u:system_r:xend_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-06-11 08:22:18 EDT
Fixed in selinux-policy-2.6.4-14
Comment 2 Daniel Walsh 2007-08-22 10:08:58 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.