Bug 839287

Summary: SELinux prevents xend (w/o libvirt) from starting virtual machines
Product: [Fedora] Fedora Reporter: Major Hayden 🤠 <mhayden>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-01 18:22:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
Output from sealert none

Description Major Hayden 🤠 2012-07-11 13:13:01 UTC
Created attachment 597572 [details]
Output from sealert

Description of problem:
SELinux prevents xend on Fedora 17 from starting virtual machines if the user isn't using libvirt to manage the virtual machines.

Version-Release number of selected component (if applicable):

How reproducible:
Ensure that SELinux is in enforcing mode and attempt to start a virtual machine using "xm create <vm_name>".

Steps to Reproduce:
1. setenforce 1
2. xm create <vm_name>
3. virtual machine will not start -- SELinux denials are logged
Actual results:
Virtual machines will not start.

Expected results:
Virtual machines should start

Additional info:

Here is the output from /var/log/messages:

setroubleshoot: SELinux is preventing /usr/bin/python2.7 from read access on the file group. For complete SELinux messages. run sealert -l b1392df4-dda4-4b82-914c-1e20c62fc898
setroubleshoot: SELinux is preventing /usr/bin/python2.7 from setattr access on the chr_file 1. For complete SELinux messages. run sealert -l 3e09edc3-aeb7-49f5-96e1-d8148afda48f
setroubleshoot: SELinux is preventing /usr/bin/python2.7 from execute access on the file pt_chown. For complete SELinux messages. run sealert -l 86395f09-5f33-4f66-8d02-519b61e54139

I put the sealert messages in a gist on GitHub since they're a little lengthy (they're also attached to this bug report):


Comment 1 Daniel Walsh 2012-07-11 18:24:53 UTC
Major, adding those three ALLOW rules fixed the problem?

Comment 2 Major Hayden 🤠 2012-07-11 18:42:11 UTC
Dan, I ended up going this route:

  grep xend /var/log/audit/audit.log | audit2allow -M custom_xen
  semodule -i custom_xen.pp

After that I was able to start the VM's without a hitch.

Comment 3 Miroslav Grepl 2012-07-12 10:02:50 UTC
If you execute

$ semanage permissive -a xend_t

re-test it 

Do you get more AVC msgs?

Comment 4 Major Hayden 🤠 2012-07-12 20:45:36 UTC
With the custom_xen.pp module still installed, I see the following after starting an instance with "xm create":


Did you want me to pull out the custom_xen.pp module I made and try to start the instance?  I could probably capture all of the AVC's that way.

Comment 5 Miroslav Grepl 2012-07-13 07:03:11 UTC
Fixed in selinux-policy-3.10.0-138.fc17.noarch

Comment 6 Fedora Update System 2012-07-27 15:34:57 UTC
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.

Comment 7 Fedora Update System 2012-07-28 01:24:42 UTC
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-08-01 18:22:14 UTC
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.