Bug 246152

Summary:

Xen guest OS fails to boot on Selinux policy hang.

Product:

[Fedora] Fedora

Reporter:

Mark Haney <mark.haney>

Component:

xen

Assignee:

Xen Maintainance List <xen-maint>

Status:

CLOSED WONTFIX

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

medium

Docs Contact:

Priority:

low

Version:

CC:

triage, xen-maint

Target Milestone:

---

Target Release:

---

Hardware:

i686

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2008-06-17 01:44:03 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Xend log	none

Description Mark Haney 2007-06-28 20:29:22 UTC

Description of problem: Xen guest fails to start because selinux policy hang


Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-21.fc7
kernel-xen-2.6.20-2925.11.fc7
xen-3.1.0-2.fc7
xen-libs-3.1.0-2.fc7


How reproducible: Every time.


Steps to Reproduce:
1. install guest F7 OS (in /var/lib/xen/images/
2. reboot
3. selinux hangs boot process on: 

policy loaded auid=4294967295
SeLinux initialized (dev usbfs, type usbfs) uses genfs_contexts
  
Actual results:
See above.

Expected results:
Should boot into guest os.

Additional info:

Comment 1 Mark Haney 2007-06-28 20:29:23 UTC

Created attachment 158160 [details]
Xend log

Comment 2 Daniel Walsh 2007-07-02 00:32:24 UTC

If you boot the zen guest in permissive mode does it continue?  If you set the
host machine to permissive mode does the xen guest boot?  Are  you seeing any
avc messages in /var/log/audit/audit.log?

Comment 3 Mark Haney 2007-07-02 13:39:35 UTC

I do not have anything in audit.log, in fact that file doesn't exist on my
system.  As for booting in permissive mode, I did shut off selinux from the grub
boot command line with 'selinux=0'.  When I do that it gets a little farther in
the boot process and hangs at this point:

Linux version 2.6.20-2925.9.fc7xen
(kojibuilder.phx.redhat.com) (gcc version 4.1.2 20070502 (Red
Hat 4.1.2-12)) #1 SMP Tue May 22 08:53:03 EDT 2007
BIOS-provided physical RAM map:
sanitize start
sanitize bail 0
copy_e820_map() start: 0000000000000000 size: 0000000020800000 end:
0000000020800000 type: 1
 Xen: 0000000000000000 - 0000000020800000 (usable)
0MB HIGHMEM available.
520MB LOWMEM available.
Using x86 segment limits to approximate NX protection
Entering add_active_range(0, 0, 133120) 0 entries of 256 used
Zone PFN ranges:
  DMA             0 ->   133120
  Normal     133120 ->   133120
  HighMem    133120 ->   133120
early_node_map[1] active PFN ranges
    0:        0 ->   133120
On node 0 totalpages: 133120
  DMA zone: 1040 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 132080 pages, LIFO batch:31
  Normal zone: 0 pages used for memmap
  HighMem zone: 0 pages used for memmap
ACPI in unprivileged domain disabled
Built 1 zonelists.  Total pages: 132080
Kernel command line: ro root=/dev/VolGroup00/LogVol00 rhgb quiet selinux=0
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
CPU 0 irqstacks, hard=c135f000 soft=c133f000
PID hash table entries: 4096 (order: 12, 16384 bytes)
Xen reported: 3050.106 MHz processor.
Console: colour dummy device 80x25
Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
... MAX_LOCKDEP_SUBCLASSES:    8
... MAX_LOCK_DEPTH:          30
... MAX_LOCKDEP_KEYS:        2048
... CLASSHASH_SIZE:           1024
... MAX_LOCKDEP_ENTRIES:     8192
... MAX_LOCKDEP_CHAINS:      16384
... CHAINHASH_SIZE:          8192
 memory used by lock dependency info: 1064 kB
 per task-struct memory footprint: 1200 bytes
Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
Software IO TLB disabled
vmalloc area: e1000000-f4ffe000, maxmem 2d7fe000
Memory: 503040k/532480k available (2030k kernel code, 21032k reserved, 1079k
data, 180k init, 0k highmem)
virtual kernel memory layout:
    fixmap  : 0xf5315000 - 0xf57fe000   (5028 kB)
    pkmap   : 0xf5000000 - 0xf5200000   (2048 kB)
    vmalloc : 0xe1000000 - 0xf4ffe000   ( 319 MB)
    lowmem  : 0xc0000000 - 0xe0800000   ( 520 MB)
      .init : 0xc130e000 - 0xc133b000   ( 180 kB)
      .data : 0xc11fb8b9 - 0xc1309714   (1079 kB)
      .text : 0xc1000000 - 0xc11fb8b9   (2030 kB)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Calibrating delay using timer specific routine.. 7629.67 BogoMIPS (lpj=15259342)
Security Framework v1.0.0 initialized
SELinux:  Disabled at boot.
Capability LSM initialized
Mount-cache hash table entries: 512
CPU: After generic identify, caps: bfebc3f1 00000000 00000000 00000000 00004400
00000000 00000000
CPU: Trace cache: 12K uops, L1 D cache: 8K
CPU: L2 cache: 512K
CPU: After all inits, caps: bfebc3f1 00000000 00000000 00003080 00004400
00000000 00000000
Checking 'hlt' instruction... OK.
SMP alternatives: switching to UP code
Freeing SMP alternatives: 11k freed
Brought up 1 CPUs
sizeof(vma)=88 bytes
sizeof(page)=32 bytes
sizeof(inode)=564 bytes
sizeof(dentry)=156 bytes
sizeof(ext3inode)=800 bytes
sizeof(buffer_head)=56 bytes
sizeof(skbuff)=176 bytes
sizeof(task_struct)=2704 bytes
Grant table initialized
NET: Registered protocol family 16
Brought up 1 CPUs
PCI: Fatal: No config space access function found
PCI: setting up Xen PCI frontend stub
Setting up standard PCI resources
ACPI: Interpreter disabled.
Linux Plug and Play Support v0.97 (c) Adam Belay
pnp: PnP ACPI: disabled
xen_mem: Initialising balloon driver.
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
PCI: System does not support PCI
PCI: System does not support PCI
NetLabel: Initializing
NetLabel:  domain hash size = 128
NetLabel:  protocols = UNLABELED CIPSOv4
NetLabel:  unlabeled traffic allowed by default
NET: Registered protocol family 2
IP route cache hash table entries: 32768 (order: 5, 131072 bytes)
TCP established hash table entries: 131072 (order: 10, 4194304 bytes)
TCP bind hash table entries: 65536 (order: 9, 2097152 bytes)
TCP: Hash tables configured (established 131072 bind 65536)
TCP reno registered
checking if image is initramfs... it is
Freeing initrd memory: 8340k freed
IA-32 Microcode Update Driver: v1.14-xen <tigran>
audit: initializing netlink socket (disabled)
audit(1183383404.732:1): initialized
VFS: Disk quotas dquot_6.5.1
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
pci_hotplug: PCI Hot Plug PCI Core version: 0.5
rtc: IRQ 8 is not free.
Non-volatile memory driver v1.2
Linux agpgart interface v0.101 (c) Dave Jones
RAMDISK driver initialized: 16 RAM disks of 16384K size 4096 blocksize
input: Macintosh mouse button emulation as /class/input/input0
Xen virtual console successfully installed as xvc0
Event-channel device installed.
Console: switching to colour frame buffer device 100x37
input: Xen Virtual Keyboard/Mouse as /class/input/input1
usbcore: registered new interface driver libusual
usbcore: registered new interface driver hiddev
usbcore: registered new interface driver usbhid
drivers/usb/input/hid-core.c: v2.6:USB HID core driver
PNP: No PS/2 controller found. Probing ports directly.
i8042.c: No controller found.
mice: PS/2 mouse device common for all mice
TCP bic registered
Initializing XFRM netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
Using IPI No-Shortcut mode
XENBUS: Device with no driver: device/vbd/51712
XENBUS: Device with no driver: device/vif/0
Freeing unused kernel memory: 180k freed
Write protecting the kernel read-only data: 762k
4gb seg fixup, process init (pid 1), cs:ip 73:00401b0d
4gb seg fixup, process init (pid 1), cs:ip 73:00141e67
4gb seg fixup, process init (pid 1), cs:ip 73:003f8710
4gb seg fixup, process init (pid 1), cs:ip 73:0046f659
4gb seg fixup, process init (pid 1), cs:ip 73:003fbfdc
4gb seg fixup, process init (pid 1), cs:ip 73:003fbfea
4gb seg fixup, process init (pid 1), cs:ip 73:00452d82
4gb seg fixup, process init (pid 1), cs:ip 73:003f4ff1
4gb seg fixup, process init (pid 1), cs:ip 73:003fbfdc
4gb seg fixup, process init (pid 1), cs:ip 73:003fbfea
USB Universal Host Controller Interface driver v3.0
ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver
Registering block device major 202
 xvda: xvda1 xvda2
device-mapper: ioctl: 4.11.0-ioctl (2006-10-12) initialised: dm-devel
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
BUG: at kernel/lockdep.c:1858 trace_hardirqs_on()
 [<c1005d9e>] show_trace_log_lvl+0x1a/0x2f
 [<c1006347>] show_trace+0x12/0x14
 [<c10063c2>] dump_stack+0x16/0x18
 [<c1037435>] trace_hardirqs_on+0xc4/0x143
 [<c10055d4>] restore_all+0x3b/0x3e
 =======================

Most of the time, it hangs at /EXT3-fs mounted filesystem with ordered data mode.

Comment 4 Daniel Walsh 2007-07-02 17:49:24 UTC

Ok so this looks like a Xen/Kernel problem.  Not necessarily an SELinux problem.

Comment 5 Mark Haney 2007-07-09 15:24:31 UTC

Well the latest selinux updates seem to have cleared some of the problems up. 
Before I was not able to get vncviewer to work on my laptop from an ssh session,
now I can get the graphical installer remotely, the install completed and it
rebooted in FirstBoot, then on the reboot after that, it dies again.  Initially
I had disabled selinux altogether in the guest and it hung. So I remounted the
partition from the host and set it to permissive and it fails in almost the same
spot:

SELinux: initialized (dev xvda3, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev cpuset, type cpuset), uses genfs_contexts
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
audit(1183994156.446:2): policy loaded auid=4294967295
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1183994158.606:3): avc:  denied  { read } for  pid=251 comm="restorecon"
name="config" dev=xvda3 ino=66981 scontext=system_u:system_r:restorecon_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file


Any ideas?

Comment 6 Bug Zapper 2008-05-14 13:19:03 UTC

This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Bug Zapper 2008-06-17 01:44:02 UTC

Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.