Bug 246152
Summary: | Xen guest OS fails to boot on Selinux policy hang. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mark Haney <mark.haney> | ||||
Component: | xen | Assignee: | Xen Maintainance List <xen-maint> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | CC: | triage, xen-maint | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-06-17 01:44:03 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mark Haney
2007-06-28 20:29:22 UTC
Created attachment 158160 [details]
Xend log
If you boot the zen guest in permissive mode does it continue? If you set the host machine to permissive mode does the xen guest boot? Are you seeing any avc messages in /var/log/audit/audit.log? I do not have anything in audit.log, in fact that file doesn't exist on my system. As for booting in permissive mode, I did shut off selinux from the grub boot command line with 'selinux=0'. When I do that it gets a little farther in the boot process and hangs at this point: Linux version 2.6.20-2925.9.fc7xen (kojibuilder.phx.redhat.com) (gcc version 4.1.2 20070502 (Red Hat 4.1.2-12)) #1 SMP Tue May 22 08:53:03 EDT 2007 BIOS-provided physical RAM map: sanitize start sanitize bail 0 copy_e820_map() start: 0000000000000000 size: 0000000020800000 end: 0000000020800000 type: 1 Xen: 0000000000000000 - 0000000020800000 (usable) 0MB HIGHMEM available. 520MB LOWMEM available. Using x86 segment limits to approximate NX protection Entering add_active_range(0, 0, 133120) 0 entries of 256 used Zone PFN ranges: DMA 0 -> 133120 Normal 133120 -> 133120 HighMem 133120 -> 133120 early_node_map[1] active PFN ranges 0: 0 -> 133120 On node 0 totalpages: 133120 DMA zone: 1040 pages used for memmap DMA zone: 0 pages reserved DMA zone: 132080 pages, LIFO batch:31 Normal zone: 0 pages used for memmap HighMem zone: 0 pages used for memmap ACPI in unprivileged domain disabled Built 1 zonelists. Total pages: 132080 Kernel command line: ro root=/dev/VolGroup00/LogVol00 rhgb quiet selinux=0 Enabling fast FPU save and restore... done. Enabling unmasked SIMD FPU exception support... done. Initializing CPU#0 CPU 0 irqstacks, hard=c135f000 soft=c133f000 PID hash table entries: 4096 (order: 12, 16384 bytes) Xen reported: 3050.106 MHz processor. Console: colour dummy device 80x25 Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar ... MAX_LOCKDEP_SUBCLASSES: 8 ... MAX_LOCK_DEPTH: 30 ... MAX_LOCKDEP_KEYS: 2048 ... CLASSHASH_SIZE: 1024 ... MAX_LOCKDEP_ENTRIES: 8192 ... MAX_LOCKDEP_CHAINS: 16384 ... CHAINHASH_SIZE: 8192 memory used by lock dependency info: 1064 kB per task-struct memory footprint: 1200 bytes Dentry cache hash table entries: 131072 (order: 7, 524288 bytes) Inode-cache hash table entries: 65536 (order: 6, 262144 bytes) Software IO TLB disabled vmalloc area: e1000000-f4ffe000, maxmem 2d7fe000 Memory: 503040k/532480k available (2030k kernel code, 21032k reserved, 1079k data, 180k init, 0k highmem) virtual kernel memory layout: fixmap : 0xf5315000 - 0xf57fe000 (5028 kB) pkmap : 0xf5000000 - 0xf5200000 (2048 kB) vmalloc : 0xe1000000 - 0xf4ffe000 ( 319 MB) lowmem : 0xc0000000 - 0xe0800000 ( 520 MB) .init : 0xc130e000 - 0xc133b000 ( 180 kB) .data : 0xc11fb8b9 - 0xc1309714 (1079 kB) .text : 0xc1000000 - 0xc11fb8b9 (2030 kB) Checking if this processor honours the WP bit even in supervisor mode... Ok. Calibrating delay using timer specific routine.. 7629.67 BogoMIPS (lpj=15259342) Security Framework v1.0.0 initialized SELinux: Disabled at boot. Capability LSM initialized Mount-cache hash table entries: 512 CPU: After generic identify, caps: bfebc3f1 00000000 00000000 00000000 00004400 00000000 00000000 CPU: Trace cache: 12K uops, L1 D cache: 8K CPU: L2 cache: 512K CPU: After all inits, caps: bfebc3f1 00000000 00000000 00003080 00004400 00000000 00000000 Checking 'hlt' instruction... OK. SMP alternatives: switching to UP code Freeing SMP alternatives: 11k freed Brought up 1 CPUs sizeof(vma)=88 bytes sizeof(page)=32 bytes sizeof(inode)=564 bytes sizeof(dentry)=156 bytes sizeof(ext3inode)=800 bytes sizeof(buffer_head)=56 bytes sizeof(skbuff)=176 bytes sizeof(task_struct)=2704 bytes Grant table initialized NET: Registered protocol family 16 Brought up 1 CPUs PCI: Fatal: No config space access function found PCI: setting up Xen PCI frontend stub Setting up standard PCI resources ACPI: Interpreter disabled. Linux Plug and Play Support v0.97 (c) Adam Belay pnp: PnP ACPI: disabled xen_mem: Initialising balloon driver. usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb PCI: System does not support PCI PCI: System does not support PCI NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 NetLabel: unlabeled traffic allowed by default NET: Registered protocol family 2 IP route cache hash table entries: 32768 (order: 5, 131072 bytes) TCP established hash table entries: 131072 (order: 10, 4194304 bytes) TCP bind hash table entries: 65536 (order: 9, 2097152 bytes) TCP: Hash tables configured (established 131072 bind 65536) TCP reno registered checking if image is initramfs... it is Freeing initrd memory: 8340k freed IA-32 Microcode Update Driver: v1.14-xen <tigran> audit: initializing netlink socket (disabled) audit(1183383404.732:1): initialized VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) pci_hotplug: PCI Hot Plug PCI Core version: 0.5 rtc: IRQ 8 is not free. Non-volatile memory driver v1.2 Linux agpgart interface v0.101 (c) Dave Jones RAMDISK driver initialized: 16 RAM disks of 16384K size 4096 blocksize input: Macintosh mouse button emulation as /class/input/input0 Xen virtual console successfully installed as xvc0 Event-channel device installed. Console: switching to colour frame buffer device 100x37 input: Xen Virtual Keyboard/Mouse as /class/input/input1 usbcore: registered new interface driver libusual usbcore: registered new interface driver hiddev usbcore: registered new interface driver usbhid drivers/usb/input/hid-core.c: v2.6:USB HID core driver PNP: No PS/2 controller found. Probing ports directly. i8042.c: No controller found. mice: PS/2 mouse device common for all mice TCP bic registered Initializing XFRM netlink socket NET: Registered protocol family 1 NET: Registered protocol family 17 Using IPI No-Shortcut mode XENBUS: Device with no driver: device/vbd/51712 XENBUS: Device with no driver: device/vif/0 Freeing unused kernel memory: 180k freed Write protecting the kernel read-only data: 762k 4gb seg fixup, process init (pid 1), cs:ip 73:00401b0d 4gb seg fixup, process init (pid 1), cs:ip 73:00141e67 4gb seg fixup, process init (pid 1), cs:ip 73:003f8710 4gb seg fixup, process init (pid 1), cs:ip 73:0046f659 4gb seg fixup, process init (pid 1), cs:ip 73:003fbfdc 4gb seg fixup, process init (pid 1), cs:ip 73:003fbfea 4gb seg fixup, process init (pid 1), cs:ip 73:00452d82 4gb seg fixup, process init (pid 1), cs:ip 73:003f4ff1 4gb seg fixup, process init (pid 1), cs:ip 73:003fbfdc 4gb seg fixup, process init (pid 1), cs:ip 73:003fbfea USB Universal Host Controller Interface driver v3.0 ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver Registering block device major 202 xvda: xvda1 xvda2 device-mapper: ioctl: 4.11.0-ioctl (2006-10-12) initialised: dm-devel kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. BUG: at kernel/lockdep.c:1858 trace_hardirqs_on() [<c1005d9e>] show_trace_log_lvl+0x1a/0x2f [<c1006347>] show_trace+0x12/0x14 [<c10063c2>] dump_stack+0x16/0x18 [<c1037435>] trace_hardirqs_on+0xc4/0x143 [<c10055d4>] restore_all+0x3b/0x3e ======================= Most of the time, it hangs at /EXT3-fs mounted filesystem with ordered data mode. Ok so this looks like a Xen/Kernel problem. Not necessarily an SELinux problem. Well the latest selinux updates seem to have cleared some of the problems up. Before I was not able to get vncviewer to work on my laptop from an ssh session, now I can get the graphical installer remotely, the install completed and it rebooted in FirstBoot, then on the reboot after that, it dies again. Initially I had disabled selinux altogether in the guest and it hung. So I remounted the partition from the host and set it to permissive and it fails in almost the same spot: SELinux: initialized (dev xvda3, type ext3), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev cpuset, type cpuset), uses genfs_contexts SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1183994156.446:2): policy loaded auid=4294967295 SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts audit(1183994158.606:3): avc: denied { read } for pid=251 comm="restorecon" name="config" dev=xvda3 ino=66981 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file Any ideas? This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. Fedora 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |