Bug 239449
Summary: | AVC: Xen hotplug scripts fail to run under udev_t | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Daniel Berrangé <berrange> | ||||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | atkac, dwalsh, mbabej, rjones, xen-maint | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2007-09-10 14:45:35 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Daniel Berrangé
2007-05-08 15:01:52 UTC
Created attachment 154339 [details]
Audit logs from just after VM creation
For me this error is characterised by the following message: xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.' It is indeed an SELinux problem. Setting SELinux mode to Permissive allows the install to complete. After this, dmesg | audit2allow shows a slightly different set of rules from the one that Dan reported above: #============= restorecon_t ============== allow restorecon_t xend_t:fd use; #============= udev_t ============== allow udev_t proc_xen_t:dir search; allow udev_t proc_xen_t:file { read write getattr }; allow udev_t xen_image_t:dir { getattr search }; allow udev_t xen_image_t:file getattr; allow udev_t xend_var_lib_t:dir { getattr search }; allow udev_t xend_var_log_t:dir { write search add_name }; allow udev_t xend_var_log_t:file create; #============= xend_t ============== allow xend_t var_run_t:dir create; allow xend_t xend_tmp_t:file { write rename unlink }; Created attachment 154341 [details]
dmesg just after successful creation in Permissive mode
Ignore my report about slightly different audit2allow rules. In fact mine match Dan's. 'allow restorecon_t' is caused by an earlier, unrelated error. Fixed in selinux-policy-2.6.4-4.fc7 I have F7 installed with selinux-policy-2.6.4-8.fc7 and the problem is still there. When i try to create a virt guest using virt-manager, it fails with error message : Unable to complete install: 'virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.')' and a bunch of SELinux avc denials "SELinux is preventing vif-bridge (udev_t) "write" to xen (xend_var_log_t)." audit2allow </var/log/audit/audit.log: #============= udev_t ============== allow udev_t xend_var_log_t:dir write; #============= xend_t ============== allow xend_t var_run_t:dir create; These do not make much sense. I can allow xend_t to create a new directory in /var/run or is this a mislabeled directory. udev wants to create a new file under xend_var_log_t? Please attach the audit.log This looks like potential problem: type=AVC msg=audit(1181032164.422:48): avc: denied { read } for pid=4606 comm="python" name="F7" dev=0:15 ino=7778336 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1181032164.422:48): arch=40000003 syscall=195 success=no exit=-13 a0=94c0e18 a1=b3594d78 a2=4a0cdff4 a3=9564db0 items=0 ppid=2648 pid=4606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null) AVCs is from rawhide system rpm -q selinux-policy selinux-policy-2.6.5-2.fc8 A Ok, i removed audit.log, restarted auditd and started the virtual machine. Here is the fresh audit.log Created attachment 156198 [details]
audit.log just after virtual machine startup
Fixed in selinux-policy-3.0.1-1.fc8 (In reply to comment #11) > Fixed in selinux-policy-3.0.1-1.fc8 Could be but I got same error during compilation which is in koji (http://koji.fedoraproject.org/koji/getfile?taskID=21821&name=build.log) A Yes that is not released yet. |