Bug 192813
Summary: | Xen hangs on boot with targeted policy enabled | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stephen Tweedie <sct> | ||||
Component: | selinux-policy-targeted | Assignee: | James Antill <james.antill> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | bstein, jon.fairbairn, markmc | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | fc6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-01-11 21:53:10 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Stephen Tweedie
2006-05-23 11:23:00 UTC
Created attachment 129851 [details]
Log of full AVC errors reported in permissive mode
Permissive mode allows xend to boot but reports a huge raft of other AVC
denials too.
This should be fixed with the latest policy/xen packages. *** Bug 196474 has been marked as a duplicate of this bug. *** This is present in FC5 (x86_64) with xen-3.0.2-3.FC5 selinux-policy-2.3.2-1.fc5 selinux-policy-targeted-2.3.2-1.fc5 sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 20 Policy from config file: targeted (current mode set to permissive to permit it to work...) Would someone care to indicate a sensible workround short of setting permissive mode? Thanks. > This should be fixed with the latest policy/xen packages.
Apparently we have a new denial. I'm running _latest_ Rawhide. "service xend
start" says:
Starting xend: audit(1171525328.065:7): avc: denied { getattr } for pid=2523
comm="python" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
I switched to Permissive. Now "service xend start" says: Starting xend: audit(1171525892.781:10): avc: denied { read write } for pid=2712 comm="xenstored" name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file audit(1171525892.781:11): avc: denied { use } for pid=2712 comm="xenstored" name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd audit(1171525892.785:12): avc: denied { read write } for pid=2715 comm="xenconsoled" name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file audit(1171525892.789:13): avc: denied { use } for pid=2715 comm="xenconsoled" name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd audit(1171525892.821:14): avc: denied { getattr } for pid=2723 comm="python" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Bridge firewalling registered audit(1171525893.729:15): dev=vif0.0 prom=256 old_prom=0 auid=4294967295 audit(1171525895.833:16): dev=peth0 prom=256 old_prom=0 auid=4294967295 Oh, this bug was old. Sorry! I guess I should have opened a new bug for this because this bug was about fc6 and my issue happens in Rawhide (Fedora 7). Well, I think you saw the emails anyway, so I'm not opening a new one. :) This bug is closed, so nobody is paying any attention to it. Please open a new one, it's just asking for engineers' brains to explode if you try to confuse too many issues into one bugzilla report. :) Seriously, it's far far easier to track what's going on and assign bugs properly that way. Thanks! |