Bug 464158

Summary: AVC's while attempting /sbin/service xenner start
Product: [Fedora] Fedora Reporter: James Laska <jlaska>
Component: xennerAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: berrange, dwalsh, jturner, kraxel
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-29 09:45:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 438944    

Description James Laska 2008-09-26 14:41:46 UTC 
Description of problem:

xenner fails to start due to AVC denials.

Version-Release number of selected component (if applicable):
libselinux-2.0.71-4.fc10.x86_64
libvirt-0.4.5-2.fc10.x86_64
selinux-policy-3.5.7-1.fc10.noarch
selinux-policy-targeted-3.5.7-1.fc10.noarch
xenner-0.44-1.fc10.x86_64

  
Actual results:

# /etc/init.d/xenner start
Starting xenner daemons
  mount -t tmpfs vmcore /var/run/xenner                    [  OK  ]
  evtchnd                                                  [  OK  ]
  xenstored                                                [  OK  ]
connect(unix): Permission denied
socket(tcp): Permission denied
FATAL: Failed to open evtchn device: Permission denied
  chmod 666 /var/run/xenstored/socket*                     [  OK  ]
  xenconsoled                                              [  OK  ]
  blkbackdcan't connect to xenstored
                                                           [FAILED]
  netbackdcan't connect to xenstored
                                                           [FAILED]


Expected results:

No AVC denials.

Additional info:

# cat /var/log/audit/audit.log | audit2allow 

#============= dhcpc_t ==============
allow dhcpc_t initrc_exec_t:file getattr;

#============= qemu_t ==============
allow qemu_t fixed_disk_device_t:blk_file { read getattr };

#============= system_dbusd_t ==============
allow system_dbusd_t hi_reserved_port_t:tcp_socket name_bind;
allow system_dbusd_t portmap_port_t:tcp_socket name_connect;

#============= xenstored_t ==============
allow xenstored_t self:tcp_socket create;
allow xenstored_t var_run_t:sock_file write;


 * Note, the setroubleshoot message suggests:

Allowing Access:
You can attempt to fix file context by executing restorecon -v 'evtchnd' 

is that supposed to be showing an absolute path (/var/run/evtchnd)?

 # # restorecon -vR /var/run
restorecon reset /var/run/xenner context unconfined_u:object_r:tmpfs_t:s0->system_u:object_r:xend_var_run_t:s0

The problem remains
Comment 1 Gerd Hoffmann 2008-09-29 09:45:41 UTC 

*** This bug has been marked as a duplicate of bug 450723 ***