Bug 245274

Created attachment 157591 [details]
setroubleshooter output.

Fixed in selinux-policy-2.6.4-21.fc7

Thanks for the quick fix.  When will this package become available?

Should be available in fedora-testing right now,   In stable in a couple of days.

Created attachment 158389 [details]
First new bug.

Created attachment 158390 [details]
Second new bug.

Created attachment 158391 [details]
Third new bug.

I installed the new package and tried the same action.  It incurred three new
errors.  Please see the attachments.

Created attachment 158392 [details]
Third new bug (corrected).

I inadvertently save the same bug attachment twice.  Attachment 5 [details] contains the
third new bug.  My apologies.

This attachment has nothing to do with this bug.

*** Bug 243219 has been marked as a duplicate of this bug. ***

Hm, still problems accessing xen-hotplug.log (and other errors)..

bridge-utils-1.1-2
kernel-xen-2.6.20-2925.13.fc7
selinux-policy-targeted-2.6.4-28.fc7
selinux-policy-2.6.4-28.fc7

--- 

Jul 19 03:29:31 xen kernel: audit(1184804971.110:5): avc:  denied  { append }
for  pid=3031 comm="brctl" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
Jul 19 03:29:31 xen kernel: audit(1184804971.110:6): avc:  denied  { search }
for  pid=3031 comm="brctl" name="/" dev=sysfs ino=1
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Jul 19 03:29:31 xen kernel: audit(1184804971.110:7): avc:  denied  { search }
for  pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Jul 19 03:29:31 xen kernel: audit(1184804971.114:8): avc:  denied  { search }
for  pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

[root@xen tmp]# grep avc messages | audit2allow

#============= brctl_t ==============
allow brctl_t sysfs_t:dir search;
allow brctl_t xend_var_log_t:file append;

Fixed in selinux-policy-2.6.4-29.fc7

When will this become available via the normal update mechanism?

It will be in testing today.

The newly released selinux-policy-targeted-2.6.4-29.fc7 gives me this:

[root@xen ~]# dmesg | grep avc
audit(1185588788.277:4): avc:  denied  { getattr } for  pid=2302 comm="brctl"
name="forward_delay" dev=sysfs ino=8172 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

[root@xen ~]# dmesg | grep avc | audit2allow

#============= brctl_t ==============
allow brctl_t sysfs_t:file getattr;

Fixed in selinux-policy-2.6.4-30.fc7

Created attachment 160383 [details]
Virtual machine manager wzard errors from 2.6.4-29.fc7

These ne errors occurred when I tried the virtual machine creation wizard with
the 29 version of the policy.

Created attachment 160385 [details]
Error after chcon and restorecon

After following the suggested chcon and restorecon instructions from the
previous errors, I get the error indicated in this attachment.	I see no way
beyond this.

Good news and bad news .. No more SELinux errors with -30, but creating the
guest still doesn't work, it stops at "Write protecting the kernel read-only
data" :-/ But it's apparently not a SELinux issue, so I'll focus on other
possibilities to fix the problem. Thanks for fixing these, though.

Moving modified bugs to closed