Bug 472903 - [RHEL5.3] SELinux AVC Denied: Not allowing install of xen guest
[RHEL5.3] SELinux AVC Denied: Not allowing install of xen guest
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Daniel Walsh
Martin Jenner
: Regression, TestBlocker
Depends On:
  Show dependency treegraph
Reported: 2008-11-25 10:32 EST by Jeff Burke
Modified: 2009-01-20 16:30 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:30:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 11:05:21 EST

  None (edit)
Description Jeff Burke 2008-11-25 10:32:54 EST
Description of problem:
 While using the latest tree to test. The testing of xen guests is failing because of a selinux policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RHEL5.3-Server-20081124.nightly then try to install a xen guest.
Actual results:
/sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 11/25/2008 6:24:25
time->Tue Nov 25 06:24:31 2008
type=SYSCALL msg=audit(1227612271.436:19): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe198f0 a2=9e1ebc a3=8bfcca0 items=0 ppid=14054 pid=14055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1227612271.436:19): avc:  denied  { search } for  pid=14055 comm="virsh" name="libvirt" dev=dm-0 ino=6029574 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir

Expected results:
This Should work

Additional info:
Comment 3 Daniel Walsh 2008-11-25 14:22:17 EST
Fixed in selinux-policy-2.4.6-194.el5
Comment 7 Gurhan Ozen 2008-12-04 11:39:26 EST
Unfortunately this issue still exists in RHEL5.3-Server-20081203.0 tree that has selinux-policy-2.4.6-197.el5 package:

/sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 12/4/2008 5:37:47
time->Thu Dec  4 05:42:16 2008
type=SYSCALL msg=audit(1228387336.023:11): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fffe82716c0 a2=6e a3=2b9fc40f8a30 items=0 ppid=4534 pid=5839 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1228387336.023:11): avc:  denied  { search } for  pid=5839 comm="virsh" name="libvirt" dev=dm-0 ino=19333348 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=dir
Comment 8 Daniel Walsh 2008-12-04 13:48:43 EST
Fixed in selinux-policy-2.4.6-198.el5
Comment 14 errata-xmlrpc 2009-01-20 16:30:06 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.