Bug 439987 - Xen SELinux denial during hotplug scripts
Xen SELinux denial during hotplug scripts
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen (Show other bugs)
x86_64 Linux
low Severity medium
: rc
: 5.6
Assigned To: Xen Maintainance List
Virtualization Bugs
: Reopened
: 434819 (view as bug list)
Depends On:
Blocks: 514500
  Show dependency treegraph
Reported: 2008-04-01 05:02 EDT by sergio valle
Modified: 2010-11-09 08:34 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-10-14 03:50:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description sergio valle 2008-04-01 05:02:55 EDT
    SELinux is preventing /sbin/losetup (fsadm_t) "append" to /var/run/xen-
    hotplug/block (udev_var_run_t).

Detailed Description
    SELinux denied access requested by /sbin/losetup. It is not expected that
    this access is required by /sbin/losetup and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /var/run/xen-hotplug/block,
    restorecon -v /var/run/xen-hotplug/block If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:fsadm_t:SystemLow-SystemHigh
Target Context                system_u:object_r:udev_var_run_t
Target Objects                /var/run/xen-hotplug/block [ file ]
Affected RPM Packages         util-linux-2.13-0.45.el5_1.1 [application]
Policy RPM                    selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     serval.rheles5.it
Platform                      Linux serval.rheles5.it 2.6.18-53.1.14.el5xen #1
                              SMP Tue Feb 19 07:33:17 EST 2008 x86_64 x86_64
Alert Count                   18
Line Numbers                  

Raw Audit Messages            

avc: denied { append } for comm="losetup" dev=dm-0 egid=0 euid=0
exe="/sbin/losetup" exit=0 fsgid=0 fsuid=0 gid=0 items=0 path="/var/run/xen-
hotplug/block" pid=9210 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:udev_var_run_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2008-04-06 06:01:09 EDT
Xen is redirecting the stdout of losetup to a udev file, which is causing the
AVC.  It can safely be ignored.
Comment 2 Daniel Walsh 2008-04-07 21:59:00 EDT
This also could be a leaked file descriptor to /var/run/xen-hotplug/block
Comment 3 Daniel Walsh 2008-05-02 16:15:39 EDT
xend should not be leaking this file descriptor.
Comment 4 Daniel Walsh 2008-05-05 12:52:15 EDT
Comment 5 Daniel Berrange 2008-07-09 09:22:24 EDT
This is harder to address than one might think.

The root cause is the Xen hotplug scripts all need to be serialized. This is
achieved by creating a lock file and then flock()'ing it.

Since the hotplug scripts are in shell, we have to use the 'flock' helper program. 

    lockfd={a free file descriptor between 200 and 300}
    eval "exec $_lockfd>>/var/run/xen-hotplug/block"
    flock -x $_lockfd

So, we'll typically open FD 200 and flock it.

This is held for the duration of the hotplug scripts before being released.

Unfortunately I cannot find any way to make this file descriptor FD_CLOEXEC.

The line:

    eval "exec $_lockfd>>/var/run/xen-hotplug/block"

always creates a filedescriptor which is inherited by child processes
Comment 6 Chris Lalancette 2009-01-22 05:49:12 EST
*** Bug 434819 has been marked as a duplicate of this bug. ***
Comment 9 Miroslav Rezanina 2010-10-14 03:50:02 EDT
I'm closing this bz as I'm not able to reproduce this issue. If you hit this problem feel free to re-open.

Note You need to log in before you can comment on or make changes to this bug.