In the VM initialization, the files corresponding to the virtual disks are opened before the networking is setup. So when the time comes to run the network tap setup script the QEMU process has a bunch of open file handles which are leaked to the networking script. Some of the commands run by the networking script may well be executing under a confined SELinux domain so this leak of file handles triggers security audit alerts / denials.
The attached patch explicitly closes all file handles prior to execing the network script, except for STDIN/OUT/ERR and the TAP file handle itself. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
Index: vl.c =================================================================== RCS file: /sources/qemu/qemu/vl.c,v retrieving revision 1.260 diff -u -p -r1.260 vl.c --- vl.c 28 Feb 2007 21:59:44 -0000 1.260 +++ vl.c 6 Mar 2007 16:23:26 -0000 @@ -3620,6 +3620,14 @@ static int net_tap_init(VLANState *vlan, pid = fork(); if (pid >= 0) { if (pid == 0) { + int open_max = sysconf (_SC_OPEN_MAX), i; + for (i = 0; i < open_max; i++) + if (i != STDIN_FILENO && + i != STDOUT_FILENO && + i != STDERR_FILENO && + i != fd) + close(i); + parg = args; *parg++ = (char *)setup_script; *parg++ = ifname;
_______________________________________________ Qemu-devel mailing list Qemu-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/qemu-devel