Bug 244199

Summary: xen guest doesn't start because of SELinux denials
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 7CC: dwalsh, katzj
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-18 08:08:54 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
audit.log none

Description Matěj Cepl 2007-06-14 10:13:47 EDT
Description of problem:
when starting SELinux guest (RHEL4, previously installed when host was FC6), it
ends with no error warning whatsoever. When switched SELinux to permissive mode
xm was working again. /var/audit/audit.log is attached

Version-Release number of selected component (if applicable):
xen-3.1.0-0.rc7.1.fc7
selinux-policy-targeted-2.6.4-13.fc7

How reproducible:
100%

Steps to Reproduce:
1. run xm create rhel4
2. vncviewer localhost
3.
  
Actual results:
no response, vncviewer fails

Expected results:
xm guest running and vncviewer displaying booting Xen guest

Additional info:
Comment 1 Matěj Cepl 2007-06-14 10:13:48 EDT
Created attachment 157001 [details]
audit.log
Comment 2 Daniel Walsh 2007-06-14 10:18:47 EDT
This looks like you might have a labeling problem in /var/run

restorecon -R -v /var/run

Comment 3 Matěj Cepl 2007-06-14 11:00:58 EDT
For the record I did .autorelabel thing after upgrading to FC7, but when I run
restorecon I got this:

sh-3.2# restorecon -R -v /var/run
restorecon reset /var/run/rpcbind.lock context
system_u:object_r:initrc_var_run_t:s0->system_u:object_r:var_run_t:s0
sh-3.2# restorecon -R -v /var/run
sh-3.2# 

However, immediately I get another AVC denial

(at least this one, I am not sure, where did restorecon happen in terms of
/var/log/audit/audit.log file):

avc: denied { write } for comm="ifup-eth" dev=dm-1 egid=0 euid=0 exe="/bin/bash"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth0.conf" pid=3381
scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0
suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

OK, both of these as well:

avc: denied { create } for comm="mkdir" egid=0 euid=0 exe="/bin/mkdir" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9308
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 

and 

avc: denied { rmdir } for comm="rm" dev=dm-1 egid=0 euid=0 exe="/bin/rm" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9400
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 
Comment 4 Daniel Walsh 2007-06-14 11:48:37 EDT
Fixed in selinux-policy-2.6.4-16
Comment 5 Matěj Cepl 2007-09-18 01:39:59 EDT
Yes, it is.