Bug 195952

Summary: SELinux doesn't let xen create directories in /var/run
Product: [Fedora] Fedora Reporter: James Antill <james.antill>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: bstein, katzj
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-23 19:34:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150224    
Attachments:
Description Flags
fixup the init.d file to create the directories that xend/senstored can't none

Description James Antill 2006-06-19 20:56:08 UTC 
Description of problem:
 xend wants to create /var/run/xend when it is first run, SELinux doesn't let
it. Dito xenstored wanting to create /var/run/xenstored.

How reproducible:
 Always

Additional info:

 The best fix here is to create the directories inside the init.d script, so the
daemon don't need extra permissions. I'm attaching a patch which does that.
Comment 1 James Antill 2006-06-19 20:56:08 UTC 
Created attachment 131157 [details]
fixup the init.d file to create the directories that xend/senstored can't
Comment 2 Jeremy Katz 2006-06-19 21:23:31 UTC 
Do we want the initscript to or should the directories be created by the
_package_ so that the contexts end up correct?
Comment 3 James Antill 2006-06-19 21:45:18 UTC 
 Well I wanted it to work in case someone did:

rm -rf /var/run/*

...AFAIK that's valid, no?
 I call restorecon on the directories after mkdir'ing them. So they have the
correct contexts.

 If it's fine to assume that any directories under /var/run will __never be
removed__, then sure, move it to the pacakge.
 The only problem with that is if anyone ever does remove them, it'll only fail
with SELinux in enforcing mode ... and won't print anything helpful (xen even
boots, it just isn't that useful because there isn't a socket in /var/run/xend
for xm for to communicate with it).
Comment 4 Jeremy Katz 2006-06-19 22:00:19 UTC 
If someone does 'rm -rf /var/run*' then they're going to get a lot of SELinux
errors.  Look at what other dirs are in there :)

So let's just go for adding the dirs to the package.  This also has the
advantage of then not being a patch against the initscript to have to maintain
forever (since it probably wouldn't be accepted upstream)
Comment 5 Jeremy Katz 2006-06-23 19:34:35 UTC 
Fixed for -9