Bug 1341317 - SELinux causes Xen startup failures; Xen utilities to hang when writing to xenbus
Summary: SELinux causes Xen startup failures; Xen utilities to hang when writing to xe...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 26
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
: 1334511 (view as bug list)
Depends On: 1322625
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-31 19:41 UTC by W. Michael Petullo
Modified: 2017-06-12 13:44 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-257.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-12 13:44:43 UTC
Type: Bug


Attachments (Terms of Use)

Description W. Michael Petullo 2016-05-31 19:41:02 UTC
Description of problem:
A number of xen utilities, including "xl list" and xentop, hang on Fedora 24 with Xen 4.6.1.

Version-Release number of selected component (if applicable):
xen-4.6.1-10.fc24.x86_64
xen-runtime-4.6.1-10.fc24.x86_64
kernel-4.5.5-300.fc24.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Boot Fedora 24 as Xen Dom0
2. Run "xl list" or xentop

Actual results:
Both commands hang before providing any useful output.

Additional info:
Running "xl list" in strace provides the following. This seems to indicate that the hang occurs when the utility writes to /dev/xen/xenbus.

access("/dev/xen/xenbus", F_OK)         = 0
stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10, 62), ...}) = 0
open("/dev/xen/xenbus", O_RDWR)         = 6
open("/etc/xen/xl.conf", O_RDONLY)      = 7
fstat(7, {st_mode=S_IFREG|0644, st_size=33, ...}) = 0
fstat(7, {st_mode=S_IFREG|0644, st_size=33, ...}) = 0
read(7, "vif.default.script = \"vif-ethos\""..., 4096) = 33
close(7)                                = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 262150
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d788000
madvise(0x7fef0d788000, 4096, MADV_DONTFORK) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 4096
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0
mmap(NULL, 102400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d76f000
madvise(0x7fef0d76f000, 102400, MADV_DONTFORK) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc61c70) = 0
madvise(0x7fef0d76f000, 102400, MADV_DOFORK) = 0
munmap(0x7fef0d76f000, 102400)          = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d786000
madvise(0x7fef0d786000, 8192, MADV_DONTFORK) = 0
ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc60c70) = 0
madvise(0x7fef0d786000, 8192, MADV_DOFORK) = 0
munmap(0x7fef0d786000, 8192)            = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
write(1, "Name                            "..., 73Name                                        ID   Mem VCPUs	State	Time(s)
) = 73
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fef0ca7cc10}, {SIG_DFL, [], 0}, 8) = 0
write(6, "\2\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0", 16) = 16
write(6, "/local/domain/0/name\0", 21

Comment 1 W. Michael Petullo 2016-05-31 22:32:25 UTC
Seems SELinux related. More to follow.

Comment 2 W. Michael Petullo 2016-06-01 13:39:48 UTC
Xen will begin to function properly with:

setenforce 0
systemctl restart systemd-modules-load
systemctl start xenstored
systemctl restart xenconsoled
setenforce 1

When I run these commands with dontaudit off, I get:

type=MAC_STATUS msg=audit(1464788327.257:1644): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
type=USER_AVC msg=audit(1464788327.257:1645): pid=928 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1464788332.323:1646): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1464788332.323:1647): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1464788332.324:1648): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1464788332.341:1649): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[54377]" dev="sockfs" ino=54377 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1
type=SERVICE_START msg=audit(1464788332.345:1650): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1464788342.735:1651): avc:  denied  { rlimitinh } for  pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.735:1652): avc:  denied  { siginh } for  pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.735:1653): avc:  denied  { noatsecure } for  pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.751:1654): avc:  denied  { rlimitinh } for  pid=3461 comm="xenstored" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.751:1655): avc:  denied  { noatsecure } for  pid=3461 comm="xenstored" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788342.781:1656): avc:  denied  { net_admin } for  pid=3461 comm="xenstored" capability=12  scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=capability permissive=1
type=SERVICE_START msg=audit(1464788342.815:1657): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenstored comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1464788350.109:1658): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenconsoled comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1464788350.135:1659): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenconsoled comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1464788350.137:1660): avc:  denied  { rlimitinh } for  pid=3480 comm="xenconsoled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788350.137:1661): avc:  denied  { noatsecure } for  pid=3480 comm="xenconsoled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process permissive=1
type=AVC msg=audit(1464788350.139:1662): avc:  denied  { sys_resource } for  pid=3480 comm="xenconsoled" capability=24  scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=1

Comment 3 Miroslav Grepl 2016-08-16 06:44:46 UTC
Michael,
I apologize. I dropped ball on this bug.

Is there a chance you could try to add this local policy

# cat mypol.cil
(allow xenstored_t xenstored_t (capability (net_admin)))

# semodule -i mypol.cim

and re-test it?

Thank you.

Comment 4 W. Michael Petullo 2016-08-25 23:12:01 UTC
I am using selinux-policy-3.13.1-191.12.fc24.noarch, and now both the Xen and VirtualBox modules load on boot. It appears that this is fixed on my computer. See also bug #1322625.

Comment 5 Robin Lee 2017-04-18 07:24:21 UTC
*** Bug 1334511 has been marked as a duplicate of this bug. ***

Comment 6 Robin Lee 2017-04-18 07:26:26 UTC
Persist in Fedora 26 Alpha
# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-249.fc26.noarch
selinux-policy-3.13.1-249.fc26.noarch

Comment 7 W. Michael Petullo 2017-05-01 15:16:40 UTC
I was mistaken in comment #4. I suspect that my custom policy work remained after I installed the package cited in the comment. This problem does indeed seem to remain.


Note You need to log in before you can comment on or make changes to this bug.