Red Hat Bugzilla – Full Text Bug Listing
|Summary:||SELinux doesn't let xen create directories in /var/run|
|Product:||[Fedora] Fedora||Reporter:||James Antill <james.antill>|
|Component:||xen||Assignee:||Xen Maintainance List <xen-maint>|
|Status:||CLOSED RAWHIDE||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-06-23 15:34:35 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description James Antill 2006-06-19 16:56:08 EDT
Description of problem: xend wants to create /var/run/xend when it is first run, SELinux doesn't let it. Dito xenstored wanting to create /var/run/xenstored. How reproducible: Always Additional info: The best fix here is to create the directories inside the init.d script, so the daemon don't need extra permissions. I'm attaching a patch which does that.
Comment 1 James Antill 2006-06-19 16:56:08 EDT
Created attachment 131157 [details] fixup the init.d file to create the directories that xend/senstored can't
Comment 2 Jeremy Katz 2006-06-19 17:23:31 EDT
Do we want the initscript to or should the directories be created by the _package_ so that the contexts end up correct?
Comment 3 James Antill 2006-06-19 17:45:18 EDT
Well I wanted it to work in case someone did: rm -rf /var/run/* ...AFAIK that's valid, no? I call restorecon on the directories after mkdir'ing them. So they have the correct contexts. If it's fine to assume that any directories under /var/run will __never be removed__, then sure, move it to the pacakge. The only problem with that is if anyone ever does remove them, it'll only fail with SELinux in enforcing mode ... and won't print anything helpful (xen even boots, it just isn't that useful because there isn't a socket in /var/run/xend for xm for to communicate with it).
Comment 4 Jeremy Katz 2006-06-19 18:00:19 EDT
If someone does 'rm -rf /var/run*' then they're going to get a lot of SELinux errors. Look at what other dirs are in there :) So let's just go for adding the dirs to the package. This also has the advantage of then not being a patch against the initscript to have to maintain forever (since it probably wouldn't be accepted upstream)
Comment 5 Jeremy Katz 2006-06-23 15:34:35 EDT
Fixed for -9