Bug 1341317

Summary: SELinux causes Xen startup failures; Xen utilities to hang when writing to xenbus
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: high    
Version: 26CC: dwalsh, ketuzsezr, lantw44, lvrabec, m.a.young, mike, robinlee.sysu, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-257.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-12 13:44:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1322625    
Bug Blocks:    

Description W. Michael Petullo 2016-05-31 19:41:02 UTC 
Description of problem:
A number of xen utilities, including "xl list" and xentop, hang on Fedora 24 with Xen 4.6.1.

Version-Release number of selected component (if applicable):
xen-4.6.1-10.fc24.x86_64
xen-runtime-4.6.1-10.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Boot Fedora 24 as Xen Dom0
2. Run "xl list" or xentop

Actual results:
Both commands hang before providing any useful output.

Additional info:
Running "xl list" in strace provides the following. This seems to indicate that the hang occurs when the utility writes to /dev/xen/xenbus.

access("/dev/xen/xenbus", F_OK)         = 0
stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10, 62), ...}) = 0
open("/dev/xen/xenbus", O_RDWR)         = 6
open("/etc/xen/xl.conf", O_RDONLY)      = 7
fstat(7, {st_mode=S_IFREG|0644, st_size=33, ...}) = 0
fstat(7, {st_mode=S_IFREG|0644, st_size=33, ...}) = 0
read(7, "vif.default.script = \"vif-ethos\""..., 4096) = 33
close(7)                                = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 262150
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d788000
madvise(0x7fef0d788000, 4096, MADV_DONTFORK) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 4096
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
mmap(NULL, 102400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d76f000
madvise(0x7fef0d76f000, 102400, MADV_DONTFORK) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc61c70) = 0
madvise(0x7fef0d76f000, 102400, MADV_DOFORK) = 0
munmap(0x7fef0d76f000, 102400)          = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d786000
madvise(0x7fef0d786000, 8192, MADV_DONTFORK) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc60c70) = 0
madvise(0x7fef0d786000, 8192, MADV_DOFORK) = 0
munmap(0x7fef0d786000, 8192)            = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
write(1, "Name                            "..., 73Name                                        ID   Mem VCPUs	State	Time(s)
) = 73
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fef0ca7cc10}, {SIG_DFL, [], 0}, 8) = 0
write(6, "\2\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0", 16) = 16
write(6, "/local/domain/0/name\0", 21
Comment 1 W. Michael Petullo 2016-05-31 22:32:25 UTC 
Seems SELinux related. More to follow.
Comment 2 W. Michael Petullo 2016-06-01 13:39:48 UTC 
Xen will begin to function properly with:

setenforce 0
systemctl restart systemd-modules-load
systemctl start xenstored
systemctl restart xenconsoled
setenforce 1

When I run these commands with dontaudit off, I get:

type=MAC_STATUS msg=audit(1464788327.257:1644): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
type=USER_AVC msg=audit(1464788327.257:1645): pid=928 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1464788332.323:1646): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1464788332.323:1647): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1464788332.324:1648): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1464788332.341:1649): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[54377]" dev="sockfs" ino=54377 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1464788332.345:1650): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1464788342.735:1651): avc:  denied  { rlimitinh } for  pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.735:1652): avc:  denied  { siginh } for  pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.735:1653): avc:  denied  { noatsecure } for  pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.751:1654): avc:  denied  { rlimitinh } for  pid=3461 comm="xenstored" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.751:1655): avc:  denied  { noatsecure } for  pid=3461 comm="xenstored" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.781:1656): avc:  denied  { net_admin } for  pid=3461 comm="xenstored" capability=12  scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=capability permissive=1
type=SERVICE_START msg=audit(1464788342.815:1657): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenstored comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1464788350.109:1658): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenconsoled comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1464788350.135:1659): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenconsoled comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1464788350.137:1660): avc:  denied  { rlimitinh } for  pid=3480 comm="xenconsoled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788350.137:1661): avc:  denied  { noatsecure } for  pid=3480 comm="xenconsoled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788350.139:1662): avc:  denied  { sys_resource } for  pid=3480 comm="xenconsoled" capability=24  scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=1
Comment 3 Miroslav Grepl 2016-08-16 06:44:46 UTC 
Michael,
I apologize. I dropped ball on this bug.

Is there a chance you could try to add this local policy

# cat mypol.cil
(allow xenstored_t xenstored_t (capability (net_admin)))

# semodule -i mypol.cim

and re-test it?

Thank you.
Comment 4 W. Michael Petullo 2016-08-25 23:12:01 UTC 
I am using selinux-policy-3.13.1-191.12.fc24.noarch, and now both the Xen and VirtualBox modules load on boot. It appears that this is fixed on my computer. See also bug #1322625.
Comment 5 Robin Lee 2017-04-18 07:24:21 UTC 
*** Bug 1334511 has been marked as a duplicate of this bug. ***
Comment 6 Robin Lee 2017-04-18 07:26:26 UTC 
Persist in Fedora 26 Alpha
# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-249.fc26.noarch
selinux-policy-3.13.1-249.fc26.noarch
Comment 7 W. Michael Petullo 2017-05-01 15:16:40 UTC 
I was mistaken in comment #4. I suspect that my custom policy work remained after I installed the package cited in the comment. This problem does indeed seem to remain.