Bug 192813

Summary: Xen hangs on boot with targeted policy enabled
Product: [Fedora] Fedora Reporter: Stephen Tweedie <sct>
Component: selinux-policy-targetedAssignee: James Antill <james.antill>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: bstein, jon.fairbairn, markmc
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-11 21:53:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log of full AVC errors reported in permissive mode none

Description Stephen Tweedie 2006-05-23 11:23:00 UTC 
Description of problem:
With the targeted policy in enforcing mode, xend refuses to start, hanging on boot.

Version-Release number of selected component (if applicable):
kernel-xen0-2.6.16-1.2203_FC6
xen-3.0.2-4
selinux-policy-targeted-2.2.42-1

How reproducible:
100%

Steps to Reproduce:
1. yum install xen kernel-xen0
2. boot into the xen0 kernel
  
Actual results:
Boot hangs trying to run the xend service, with the AVC denial

Starting xend:  audit(1148382030.290:8): avc:  denied  { node_bind } for 
pid=2523 comm="python" src=8002 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

Expected results:

xend to start without hanging.

Additional info:

Problem persists after a full relabel.
Comment 1 Stephen Tweedie 2006-05-23 11:24:37 UTC 
Created attachment 129851 [details]
Log of full AVC errors reported in permissive mode

Permissive mode allows xend to boot but reports a huge raft of other AVC
denials too.
Comment 2 James Antill 2006-07-14 16:55:19 UTC 
 This should be fixed with the latest policy/xen packages.
Comment 3 James Antill 2006-07-14 16:58:41 UTC 
*** Bug 196474 has been marked as a duplicate of this bug. ***
Comment 4 Jón Fairbairn 2006-07-22 10:03:41 UTC 
This is present in FC5 (x86_64) with 
xen-3.0.2-3.FC5
selinux-policy-2.3.2-1.fc5
selinux-policy-targeted-2.3.2-1.fc5

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

(current mode set to permissive to permit it to work...)

Would someone care to indicate a sensible workround short of setting permissive
mode?

Thanks.
Comment 6 Jarkko 2007-02-15 07:47:13 UTC 
> This should be fixed with the latest policy/xen packages.

Apparently we have a new denial. I'm running _latest_ Rawhide. "service xend
start" says:

Starting xend: audit(1171525328.065:7): avc:  denied  { getattr } for  pid=2523
comm="python" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 7 Jarkko 2007-02-15 07:54:41 UTC 
I switched to Permissive. Now "service xend start" says:

Starting xend: audit(1171525892.781:10): avc:  denied  { read write } for 
pid=2712 comm="xenstored" name="tty1" dev=tmpfs ino=1655
scontext=system_u:system_r:xenstored_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
audit(1171525892.781:11): avc:  denied  { use } for  pid=2712 comm="xenstored"
name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenstored_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
audit(1171525892.785:12): avc:  denied  { read write } for  pid=2715
comm="xenconsoled" name="tty1" dev=tmpfs ino=1655
scontext=system_u:system_r:xenconsoled_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
audit(1171525892.789:13): avc:  denied  { use } for  pid=2715 comm="xenconsoled"
name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenconsoled_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
audit(1171525892.821:14): avc:  denied  { getattr } for  pid=2723 comm="python"
name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Bridge firewalling registered
audit(1171525893.729:15): dev=vif0.0 prom=256 old_prom=0 auid=4294967295
audit(1171525895.833:16): dev=peth0 prom=256 old_prom=0 auid=4294967295
Comment 8 Jarkko 2007-02-15 08:02:03 UTC 
Oh, this bug was old. Sorry! I guess I should have opened a new bug for this
because this bug was about fc6 and my issue happens in Rawhide (Fedora 7).

Well, I think you saw the emails anyway, so I'm not opening a new one. :)
Comment 9 Stephen Tweedie 2007-02-19 20:43:52 UTC 
This bug is closed, so nobody is paying any attention to it.  Please open a new
one, it's just asking for engineers' brains to explode if you try to confuse too
many issues into one bugzilla report. :)  Seriously, it's far far easier to
track what's going on and assign bugs properly that way.  Thanks!