Bug 499551 - AVC denial from virsh dominfo - libvirtd (virtd_t) "getattr" svirt_t.
AVC denial from virsh dominfo - libvirtd (virtd_t) "getattr" svirt_t.
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
Depends On:
Blocks: F11VirtTarget
  Show dependency treegraph
Reported: 2009-05-07 02:50 EDT by Charles Rose
Modified: 2009-05-07 10:25 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-07 10:25:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
SELinux alert message (2.46 KB, text/plain)
2009-05-07 02:50 EDT, Charles Rose
no flags Details

  None (edit)
Description Charles Rose 2009-05-07 02:50:58 EDT
Created attachment 342776 [details]
SELinux alert message

Description of problem:

  # virsh dominfo vfedora11

Id:             5
Name:           vfedora11
UUID:           b364fa20-349e-e604-94b5-40ca98952b04
OS Type:        hvm
State:          running
CPU(s):         1
CPU time:       10.9s
Max memory:     524288 kB
Used memory:    524288 kB
Autostart:      disable
Security model: selinux
Security DOI:   0
Security label: system_u:system_r:svirt_t:s0:c413,c668 (enforcing)

shows the domaininfo, but also results in an AVC denial:

SELinux is preventing libvirtd (virtd_t) "getattr" svirt_t.

Version-Release number of selected component (if applicable):

How reproducible:
Occurs the first three times "virsh dominfo" is run. Restarting libvirtd and running "virsh dominfo" causes the issue to happen again.

Steps to Reproduce:
1. Install Fedora Rawhide (7 May) with libvirt
2. Create a fedora 11 beta vm.
3. Run
       # virsh dominfo vfedora11
Actual results:
virsh shows the domain info

Expected results:
virsh shows the domain info, but an SELinux alert is seen.

Additional info:
SELinux alert attached.
Comment 1 Mark McLoughlin 2009-05-07 03:04:22 EDT
Could be from looking at /proc/$pid/stat ?
Comment 2 Daniel Walsh 2009-05-07 10:25:29 EDT
Fixed in selinux-policy-3.6.12-31.fc11.noarch

Note You need to log in before you can comment on or make changes to this bug.