714215 – AVC produced during VM start/stop in a cluster

Bug 714215 - AVC produced during VM start/stop in a cluster

Summary: AVC produced during VM start/stop in a cluster

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-17 15:58 UTC by Jaroslav Kortus
Modified:	2012-06-13 11:51 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-13 11:51:55 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jaroslav Kortus 2011-06-17 15:58:26 UTC

Description of problem:
time->Fri Jun 17 10:51:56 2011
type=SYSCALL msg=audit(1308325916.570:854): arch=c000003e syscall=18 success=yes exit=8192 a0=b a1=2aaaaaab0200 a2=2000 a3=336e5fa00 items=0 ppid=1 pid=17394 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=system_u:system_r:svirt_t:s0:c291,c554 key=(null)
type=AVC msg=audit(1308325916.570:854): avc:  denied  { sys_resource } for  pid=17394 comm="qemu-kvm" capability=24 scontext=system_u:system_r:svirt_t:s0:c291,c554 tcontext=system_u:system_r:svirt_t:s0:c291,c554 tclass=capability


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-312.el5

How reproducible:
always

Steps to Reproduce:
1. clusvcadm -R vm:virtmachine
2.
3.
  
Actual results:
AVC denial

Expected results:
no denial

Additional info:
the machine works even with this denial.

Comment 1 Daniel Walsh 2011-06-17 17:36:04 UTC

sys_resource usually means you are running out of a system resource that a non priv user would not be allowed to add.

Comment 2 Daniel Walsh 2011-06-17 17:36:38 UTC

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

Note You need to log in before you can comment on or make changes to this bug.