Bug 239449
| Summary: | AVC: Xen hotplug scripts fail to run under udev_t | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Berrangé <berrange> | ||||||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | rawhide | CC: | atkac, dwalsh, mbabej, rjones, xen-maint | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2007-09-10 14:45:35 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 154339 [details]
Audit logs from just after VM creation
For me this error is characterised by the following message:
xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.'
It is indeed an SELinux problem. Setting SELinux mode to Permissive allows the
install to complete. After this, dmesg | audit2allow shows a slightly different
set of rules from the one that Dan reported above:
#============= restorecon_t ==============
allow restorecon_t xend_t:fd use;
#============= udev_t ==============
allow udev_t proc_xen_t:dir search;
allow udev_t proc_xen_t:file { read write getattr };
allow udev_t xen_image_t:dir { getattr search };
allow udev_t xen_image_t:file getattr;
allow udev_t xend_var_lib_t:dir { getattr search };
allow udev_t xend_var_log_t:dir { write search add_name };
allow udev_t xend_var_log_t:file create;
#============= xend_t ==============
allow xend_t var_run_t:dir create;
allow xend_t xend_tmp_t:file { write rename unlink };
Created attachment 154341 [details]
dmesg just after successful creation in Permissive mode
Ignore my report about slightly different audit2allow rules. In fact mine match Dan's. 'allow restorecon_t' is caused by an earlier, unrelated error. Fixed in selinux-policy-2.6.4-4.fc7 I have F7 installed with selinux-policy-2.6.4-8.fc7 and the problem is still there. When i try to create a virt guest using virt-manager, it fails with error message : Unable to complete install: 'virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.')' and a bunch of SELinux avc denials "SELinux is preventing vif-bridge (udev_t) "write" to xen (xend_var_log_t)." audit2allow </var/log/audit/audit.log: #============= udev_t ============== allow udev_t xend_var_log_t:dir write; #============= xend_t ============== allow xend_t var_run_t:dir create; These do not make much sense. I can allow xend_t to create a new directory in /var/run or is this a mislabeled directory. udev wants to create a new file under xend_var_log_t? Please attach the audit.log This looks like potential problem:
type=AVC msg=audit(1181032164.422:48): avc: denied { read } for pid=4606
comm="python" name="F7" dev=0:15 ino=7778336
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=lnk_file
type=SYSCALL msg=audit(1181032164.422:48): arch=40000003 syscall=195 success=no
exit=-13 a0=94c0e18 a1=b3594d78 a2=4a0cdff4 a3=9564db0 items=0 ppid=2648
pid=4606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)
AVCs is from rawhide system
rpm -q selinux-policy
selinux-policy-2.6.5-2.fc8
A
Ok, i removed audit.log, restarted auditd and started the virtual machine. Here is the fresh audit.log Created attachment 156198 [details]
audit.log just after virtual machine startup
Fixed in selinux-policy-3.0.1-1.fc8 (In reply to comment #11) > Fixed in selinux-policy-3.0.1-1.fc8 Could be but I got same error during compilation which is in koji (http://koji.fedoraproject.org/koji/getfile?taskID=21821&name=build.log) A Yes that is not released yet. |
Description of problem: When starting a new guest VM, multiple AVC denials are logged. There seem to be two general classes of problem: 1. The hotplug scripts are running under a confined udev_t context which doesn't have ability to do the various disk / network setup tasks xen requires 2. Xend needs to be able to create fifos to deal with bootlodaer interaction This can be seen from the audi2allow suggests: # audit2allow < /var/log/audit/audit.log #============= udev_t ============== allow udev_t proc_xen_t:dir search; allow udev_t proc_xen_t:file { read write getattr }; allow udev_t xen_image_t:dir { getattr search }; allow udev_t xen_image_t:file getattr; allow udev_t xend_var_lib_t:dir { getattr search }; allow udev_t xend_var_log_t:dir search; #============= xend_t ============== allow xend_t var_run_t:fifo_file { read write create }; allow xend_t xend_tmp_t:file { read write rename unlink }; allow xend_t xend_var_run_t:fifo_file { read write create unlink }; Version-Release number of selected component (if applicable): selinux-policy-2.6.1-1.fc7 xen-3.1.0-0.rc7.1.fc7 How reproducible: Always Steps to Reproduce: 1. Start a Xen guest when SELinux is in permissive mode 2. 3. Actual results: Multiple AVCs Expected results: No AVCs Additional info: Will attach the complete audit log