Bug 213930

Summary: Startup fails with tmpfs state
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: xenAssignee: Karl MacMillan <kmacmill>
Status: CLOSED RAWHIDE QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: bstein, dwalsh, katzj, rvokal, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-24 19:47:39 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Bill Nottingham 2006-11-03 15:24:13 EST
Description of problem:

If you enable TEMPORARY_STATE in /etc/sysconfig/readonly-root, tmpfs
is used for various temporary state on the system (/tmp, /var/tmp, /var/lib/xen,
etc.)

If you do this, xen fails to start, claiming:

IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp',
'/usr/tmp', '/' ]

audit logs show:

audit(1162585306.009:45): avc:  denied  { search } for  pid=3191 comm="python"
name="tmp" dev=tmpfs ino=6716 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
audit(1162585306.009:46): avc:  denied  { search } for  pid=3191 comm="python"
name="tmp" dev=tmpfs ino=6816 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
audit(1162585306.009:47): avc:  denied  { search } for  pid=3191 comm="python"
name="tmp" dev=tmpfs ino=6816 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
audit(1162585306.009:48): avc:  denied  { write } for  pid=3191 comm="python"
name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir

Version-Release number of selected component (if applicable):

xen-3.0.3-0.1.rc3
selinux-policy-2.4.1-3.fc6

Additional info:

'/'? As a temp dir???
Comment 1 Stephen Tweedie 2006-11-03 16:36:11 EST
On a normal system:

# ls -lZd /var/lib/xen
drwxr-xr-x  root root system_u:object_r:xend_var_lib_t /var/lib/xen

but from the look of the logs above, you've got the tmpfs /var/lib/xen mounted
with context system_u:object_r:tmp_t.  So I'm not surprised if policy fails!

Is it possible to mount that dir with the correct context and try again?
Comment 2 Bill Nottingham 2006-11-03 16:48:19 EST
/var/lib/xen is system_u:object_r:xend_var_lib_t. It's /tmp that's tmp_t.
Comment 4 Karl MacMillan 2007-04-02 16:46:14 EDT
/tmp should be tmp_t. What is the normal tmp directory for xen? What directories
are mounted as tmpfs when this is set and do any paths become symlinks?
Comment 5 Daniel Walsh 2007-04-02 17:04:38 EDT
Ok adding policy to allow xend to create /tmp files xend_tmp_t.

selinux-policy-2.4.6-50
Comment 6 Red Hat Bugzilla 2007-07-24 20:02:20 EDT
change QA contact
Comment 7 Daniel Berrange 2007-09-24 19:47:39 EDT
Closed based on comment #5 indicating policy is fixed.