Bug 243219
| Summary: | selinux won't allow launching of existing or creation of new xen hosts in Fedora 7 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Phil Hale <phaleintx> | ||||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | |||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 7 | CC: | djuran, katzj, rhbugs, xen-maint | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2007-07-11 17:21:48 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Phil Hale
2007-06-07 23:21:03 UTC
Created attachment 156526 [details]
xend log
Created attachment 156527 [details]
audit log
Looks like a policy bug to me - assigned to selinux policy. I hope this information helps someone.. I'm trying to run Xen with a slightly
newer xen and selinux policy (from fedora-updates-testing) and my error messages
are slightly different when I try to create a new guest:
'Device 0 (vif) could not be connected. Hotplug scripts not working.'
audit(1181937852.205:5): avc: denied { create } for pid=2808 comm="blktap"
name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937852.241:6): avc: denied { create } for pid=2821
comm="vif-bridge" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.474:7): avc: denied { create } for pid=2853
comm="vif-bridge" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.534:8): avc: denied { create } for pid=2862 comm="blktap"
name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.578:9): avc: denied { create } for pid=2879
comm="xen-hotplug-cle" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.638:10): avc: denied { create } for pid=2883
comm="xen-hotplug-cle" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
[root@xen images]# dmesg | audit2allow
#============= udev_t ==============
allow udev_t xend_var_log_t:file create;
---
The relevant installed packages:
kernel-xen-2.6.20-2925.11.fc7
xen-3.1.0-2.fc7
selinux-policy-targeted-2.6.4-14.fc7
Fixed in selinux-policy-2.6.4-17 Tested with selinux-policy-2.6.4-17, still no go.. [root@xen ~]# virt-install Would you like a fully virtualized guest (yes or no)? This will allow you to run unmodified operating systems. no What is the name of your virtual machine? gw How much RAM should be allocated (in megabytes)? 384 What would you like to use as the disk (path)? /var/lib/xen/images/gw Would you like to enable graphics support? (yes or no) no What is the install location? ftp://192.168.0.160/documents/fc7/x86_64/os/ Starting install... libvir: Xen Daemon error : GET operation failed: Retrieving Fedora... 192 kB 00:00 Retrieving vmlinuz... 100% |=========================| 1.8 MB 00:00 Retrieving initrd.img... 100% |=========================| 5.4 MB 00:01 libvir: Xen Daemon error : GET operation failed: libvir: Xen Daemon error : POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.') Traceback (most recent call last): File "/usr/sbin/virt-install", line 629, in <module> main() File "/usr/sbin/virt-install", line 578, in main dom = guest.start_install(conscb,progresscb) File "/usr/lib/python2.5/site-packages/virtinst/Guest.py", line 649, in start_install return self._do_install(consolecb, meter) File "/usr/lib/python2.5/site-packages/virtinst/Guest.py", line 666, in _do_install self.domain = self.conn.createLinux(install_xml, 0) File "/usr/lib64/python2.5/site-packages/libvirt.py", line 503, in createLinux if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self) libvirt.libvirtError: virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.') [root@xen ~]# dmesg audit(1182243207.872:6): avc: denied { search } for pid=2799 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243207.872:7): avc: denied { search } for pid=2799 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243207.928:8): avc: denied { search } for pid=2812 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243207.928:9): avc: denied { search } for pid=2812 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.156:10): avc: denied { search } for pid=2844 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.156:11): avc: denied { search } for pid=2844 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.216:12): avc: denied { search } for pid=2855 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.216:13): avc: denied { search } for pid=2855 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.260:14): avc: denied { search } for pid=2870 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.260:15): avc: denied { search } for pid=2870 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.316:16): avc: denied { search } for pid=2874 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.316:17): avc: denied { search } for pid=2874 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir [root@xen ~]# dmesg | audit2allow #============= udev_t ============== allow udev_t xend_var_log_t:dir search; [root@xen ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-2.6.4-17.fc7 Try again Fixed in selinux-policy-2.6.4-18 rpm -q selinux-policy
selinux-policy-2.6.4-21.fc7
Got the following errors:
Summary
SELinux is preventing /sbin/losetup (udev_t) "write" to winxp2
(xen_image_t).
Detailed Description
SELinux denied access requested by /sbin/losetup. It is not expected that
this access is required by /sbin/losetup and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for winxp2, restorecon -v winxp2 If
this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Additional Information
Source Context system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context system_u:object_r:xen_image_t
Target Objects winxp2 [ file ]
Affected RPM Packages util-linux-2.13-0.51.fc7 [application]
Policy RPM selinux-policy-2.6.4-21.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name xx
Platform Linux xx 2.6.20-2925.11.fc7xen #1
SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64
Alert Count 8
First Seen Mon 25 Jun 2007 01:48:51 PM MDT
Last Seen Tue 26 Jun 2007 07:40:19 AM MDT
Local ID 33d14a58-f07e-4ab7-9369-ebb3e82f96e5
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="losetup" dev=dm-0 egid=0 euid=0
exe="/sbin/losetup" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="winxp2"
pid=4750 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:xen_image_t:s0 tty=(none) uid=0
Summary
SELinux is preventing /usr/sbin/brctl (udev_t) "sys_module" to <Unknown>
(udev_t).
Detailed Description
SELinux denied access requested by /usr/sbin/brctl. It is not expected that
this access is required by /usr/sbin/brctl and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context system_u:system_r:udev_t:SystemLow-SystemHigh
Target Objects None [ capability ]
Affected RPM Packages bridge-utils-1.1-2 [application]
Policy RPM selinux-policy-2.6.4-21.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name xxx
Platform Linux xxx 2.6.20-2925.11.fc7xen #1
SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64
Alert Count 24
First Seen Mon 25 Jun 2007 01:13:19 PM MDT
Last Seen Tue 26 Jun 2007 07:40:19 AM MDT
Local ID 97da150d-9cd6-4e8b-a842-7477eb86179e
Line Numbers
Raw Audit Messages
avc: denied { sys_module } for comm="brctl" egid=0 euid=0 exe="/usr/sbin/brctl"
exit=-19 fsgid=0 fsuid=0 gid=0 items=0 pid=4801
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
Ok adding fstools_domtrans(udev_t) will allow udev to transition to the fstools domain and should allow this. fixed in selinux-policy-2.6.4-24 [root@xen images]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-25.fc7
[root@xen images]# dmesg | grep avc
audit(1183568070.371:141): avc: denied { sys_module } for pid=11335
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568070.371:142): avc: denied { sys_module } for pid=11335
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568125.917:143): avc: denied { getattr } for pid=11526
comm="readlink" name="virtinst-boot.iso.ml2Pro" dev=sda3 ino=61505839
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=root:object_r:xend_var_lib_t:s0 tclass=file
audit(1183568126.013:145): avc: denied { append } for pid=11614
comm="losetup" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1183568126.021:146): avc: denied { read write } for pid=11614
comm="losetup" name="gw" dev=sda3 ino=61505898
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=root:object_r:xen_image_t:s0 tclass=file
audit(1183568126.517:150): avc: denied { sys_module } for pid=11697
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568126.517:151): avc: denied { sys_module } for pid=11697
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568220.997:152): avc: denied { append } for pid=12939
comm="losetup" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
[root@xen images]# dmesg | grep avc | audit2allow
#============= fsadm_t ==============
allow fsadm_t xen_image_t:file { read write };
allow fsadm_t xend_var_log_t:file append;
#============= udev_t ==============
allow udev_t self:capability sys_module;
allow udev_t xend_var_lib_t:file getattr;
I am seeing the same, when creating a domain (xm create /etc/xen/fc6_0)
# rpm -q selinux-policy
selinux-policy-2.6.4-25.fc7
# sealert -l 5f913024-7422-49dc-b9a0-02f09fb121ef
Summary
SELinux is preventing /usr/sbin/brctl (udev_t) "sys_module" to <Unknown>
(udev_t).
Detailed Description
SELinux denied access requested by /usr/sbin/brctl. It is not expected that
this access is required by /usr/sbin/brctl and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context system_u:system_r:udev_t:SystemLow-SystemHigh
Target Objects None [ capability ]
Affected RPM Packages bridge-utils-1.1-2 [application]
Policy RPM selinux-policy-2.6.4-25.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.20-2925.11.fc7xen
#1 SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64
Alert Count 4
First Seen Tue Jul 10 15:51:17 2007
Last Seen Tue Jul 10 15:58:38 2007
Local ID 5f913024-7422-49dc-b9a0-02f09fb121ef
Line Numbers
Raw Audit Messages
avc: denied { sys_module } for comm="brctl" egid=0 euid=0 exe="/usr/sbin/brctl"
exit=-19 fsgid=0 fsuid=0 gid=0 items=0 pid=5922
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
This is the command which fails:
brctl addif eth0 vif7.0
(Note that in the wacky world of Xen, eth0 is a bridge).
Strangely enough, both ioctls succeed:
ioctl(4, SIOCGIFINDEX, {ifr_name="vif7.0", ifr_index=12}) = 0
ioctl(3, 0x89a2, 0x7fff8f703230) = 0
and the process exits normally (status 0), but an AVC is logged.
So I guess -EPERM is being lost somewhere along the line.
*** This bug has been marked as a duplicate of 245274 *** |