Bug 244434

Summary: targeted missing policy for access of /var elements by udev for Xen
Product: [Fedora] Fedora Reporter: Michael Carney <mwc>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:11:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Carney 2007-06-15 16:55:29 UTC 
Description of problem:
Using virt-install to create Xen guests on vanilla F7 + latest updates fails.

Various scripts (vif-bridge, block, xen-hotplug-cleanup) under udev attempt to
do the following:
1) Create a log file: /var/log/xen/xen-hotplug.log
   Missing: allow udev_t xend_var_log_t:file create

Create /var/log/xen/xen-hotplug.log by hand, retry...

2) mkdir: cannot create directory `/var/run/xen-hotplug': Permission denied
  Missing: allow udev_t udev_var_run_t:dir create
(Noticed that /usr/bin/brctl was failing.
  Missing: allow udev_t self:capability sys_module;)

Mkdir /var/run/xen-hotplug by hand, retry...

3) Install dies with the 'block' script under udev trying to mkdir
/var/run/xen-hotplug/block

So it appears the following access needs to be granted:
audit2allow < /var/log/audit/audit.log


#============= udev_t ==============
allow udev_t self:capability sys_module;
allow udev_t udev_var_run_t:dir create;
allow udev_t xend_var_log_t:file create;

Version-Release number of selected component (if applicable): 2.6.4-14


How reproducible: Always. See above for how.
Comment 1 Daniel Walsh 2007-06-18 14:42:42 UTC 
I have added the ability to create xen_var_log_t.  Allowing udev to load system
modules is a bad idea.  (If I can install a system module, I can probably take
over the machine.)

The other fixes will be in selinux-policy-2.6.4-17
Comment 2 Daniel Walsh 2007-08-22 14:11:14 UTC 
Closing as fixes are in the current release