Bug 243091 - SELinux is preventing /usr/sbin/blktapctrl (xend_t) "create" to tap (var_run_t).
Summary: SELinux is preventing /usr/sbin/blktapctrl (xend_t) "create" to tap (var_run_t).
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 7
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-07 09:28 UTC by Truong Xuan Tinh
Modified: 2007-11-30 22:12 UTC (History)
0 users

Clone Of:
Last Closed: 2007-08-22 14:08:58 UTC

Attachments (Terms of Use)

Description Truong Xuan Tinh 2007-06-07 09:28:03 UTC
Description of problem:
SELinux denied access requested by /usr/sbin/blktapctrl. It is not expected that
this access is required by /usr/sbin/blktapctrl and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a new Virtual machine using Virtual Machine Manager
2. System Name: CentOS5
3. Virtualized Method:Paravirtualized
4. Install Media URL : /media/SCSI0_VOL1/Linux_Distros/CentOS-5.0-x86_64-bin-DVD.iso
5. Simple File (/home/tinh/xen/CentOS5)with Allocate entire disk now check (6GB)
6. Virtual Network (default)
7. VM Max Memory: 512MB, VM Startup Memory: 512 MB, VCPUs: 2
Actual results:

Expected results:

Additional info:
Source Context:  system_u:system_r:xend_tTarget
Context:  system_u:object_r:var_run_tTarget Objects:  tap [ dir ]Affected RPM
Packages:  xen-3.1.0-0.rc7.1.fc7 [application]Policy
RPM:  selinux-policy-2.6.4-13.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchall_fileHost
Name:  localhost.localdomainPlatform:  Linux localhost.localdomain
2.6.20-2925.9.fc7xen #1 SMP Tue May 22 09:29:36 EDT 2007 x86_64 x86_64Alert
Count:  1First Seen:  Thu 07 Jun 2007 04:07:00 PM ICTLast Seen:  Thu 07 Jun 2007
04:07:00 PM ICTLocal ID:  934b71c8-b8d8-4a03-9178-034d395e54d2Line Numbers:  Raw
Audit Messages :avc: denied { create } for comm="blktapctrl" egid=0 euid=0
exe="/usr/sbin/blktapctrl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="tap"
pid=3065 scontext=system_u:system_r:xend_t:s0 sgid=0
subj=system_u:system_r:xend_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-06-11 12:22:18 UTC
Fixed in selinux-policy-2.6.4-14

Comment 2 Daniel Walsh 2007-08-22 14:08:58 UTC
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.