Description of problem: I was testing xen-4.7.0-rc1 (I expect the final version to be in Fedora 25) and found xenstored and xenconsoled were being blocked by selinux. xen-4.7.0 uses /dev/xen/privcmd in preference to /proc/xen/privcmd which was used in linux in earlier versions. Hence /dev/xen/privcmd should presumably have type xen_device_t (and similarly for /dev/xen/xenbus and /dev/xen/xenbus_backend) to match other files in that directory. I have tested setting /dev/xen/privcmd to system_u:object_r:xen_device_t:s0 and xenstored and xenconsoled then work when selinux is enforcing mode. SELinux is preventing xenconsoled from 'ioctl' accesses on the chr_file /dev/xen/privcmd. ***** Plugin device (91.4 confidence) suggests **************************** If you want to allow xenconsoled to have ioctl access on the privcmd chr_file Then you need to change the label on /dev/xen/privcmd to a type of a similar device. Do # semanage fcontext -a -t SIMILAR_TYPE '/dev/xen/privcmd' # restorecon -v '/dev/xen/privcmd' ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that xenconsoled should be allowed ioctl access on the privcmd chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c xenconsoled --raw | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xenconsoled_t:s0 Target Context system_u:object_r:device_t:s0 Target Objects /dev/xen/privcmd [ chr_file ] Source xenconsoled Source Path xenconsoled Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-184.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.5.3-300.fc24.x86_64 #1 SMP Thu May 5 01:56:27 UTC 2016 x86_64 x86_64 Alert Count 4 First Seen 2016-05-07 22:49:38 BST Last Seen 2016-05-08 17:56:27 BST Local ID eb5e2aa9-63d5-4b50-8e5c-e80875581e1c Raw Audit Messages type=AVC msg=audit(1462726587.243:442): avc: denied { ioctl } for pid=973 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=14800 ioctlcmd=5000 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 Hash: xenconsoled,xenconsoled_t,device_t,chr_file,ioctl Version-Release number of selected component: selinux-policy-3.13.1-184.fc24.noarch Additional info: reporter: libreport-2.7.0 hashmarkername: setroubleshoot kernel: 4.5.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-43d1395a18
selinux-policy-3.13.1-188.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3ccd9afa2f
selinux-policy-3.13.1-189.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
It was added in .192 not 189.