Description of problem: A number of xen utilities, including "xl list" and xentop, hang on Fedora 24 with Xen 4.6.1. Version-Release number of selected component (if applicable): xen-4.6.1-10.fc24.x86_64 xen-runtime-4.6.1-10.fc24.x86_64 kernel-4.5.5-300.fc24.x86_64 How reproducible: Everytime Steps to Reproduce: 1. Boot Fedora 24 as Xen Dom0 2. Run "xl list" or xentop Actual results: Both commands hang before providing any useful output. Additional info: Running "xl list" in strace provides the following. This seems to indicate that the hang occurs when the utility writes to /dev/xen/xenbus. access("/dev/xen/xenbus", F_OK) = 0 stat("/dev/xen/xenbus", {st_mode=S_IFCHR|0600, st_rdev=makedev(10, 62), ...}) = 0 open("/dev/xen/xenbus", O_RDWR) = 6 open("/etc/xen/xl.conf", O_RDONLY) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=33, ...}) = 0 fstat(7, {st_mode=S_IFREG|0644, st_size=33, ...}) = 0 read(7, "vif.default.script = \"vif-ethos\""..., 4096) = 33 close(7) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 262150 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d788000 madvise(0x7fef0d788000, 4096, MADV_DONTFORK) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 4096 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc79e90) = 0 mmap(NULL, 102400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d76f000 madvise(0x7fef0d76f000, 102400, MADV_DONTFORK) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc61c70) = 0 madvise(0x7fef0d76f000, 102400, MADV_DOFORK) = 0 munmap(0x7fef0d76f000, 102400) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_LOCKED, -1, 0) = 0x7fef0d786000 madvise(0x7fef0d786000, 8192, MADV_DONTFORK) = 0 ioctl(5, _IOC(0, 0x50, 0x00, 0x30), 0x7ffdafc60c70) = 0 madvise(0x7fef0d786000, 8192, MADV_DOFORK) = 0 munmap(0x7fef0d786000, 8192) = 0 fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0 write(1, "Name "..., 73Name ID Mem VCPUs State Time(s) ) = 73 rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7fef0ca7cc10}, {SIG_DFL, [], 0}, 8) = 0 write(6, "\2\0\0\0\0\0\0\0\0\0\0\0\25\0\0\0", 16) = 16 write(6, "/local/domain/0/name\0", 21
Seems SELinux related. More to follow.
Xen will begin to function properly with: setenforce 0 systemctl restart systemd-modules-load systemctl start xenstored systemctl restart xenconsoled setenforce 1 When I run these commands with dontaudit off, I get: type=MAC_STATUS msg=audit(1464788327.257:1644): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 type=USER_AVC msg=audit(1464788327.257:1645): pid=928 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received setenforce notice (enforcing=0) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1464788332.323:1646): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1464788332.323:1647): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=SERVICE_STOP msg=audit(1464788332.324:1648): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1464788332.341:1649): avc: denied { read write } for pid=1 comm="systemd" path="socket:[54377]" dev="sockfs" ino=54377 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=1 type=SERVICE_START msg=audit(1464788332.345:1650): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1464788342.735:1651): avc: denied { rlimitinh } for pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788342.735:1652): avc: denied { siginh } for pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788342.735:1653): avc: denied { noatsecure } for pid=3449 comm="grep" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788342.751:1654): avc: denied { rlimitinh } for pid=3461 comm="xenstored" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788342.751:1655): avc: denied { noatsecure } for pid=3461 comm="xenstored" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788342.781:1656): avc: denied { net_admin } for pid=3461 comm="xenstored" capability=12 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=capability permissive=1 type=SERVICE_START msg=audit(1464788342.815:1657): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenstored comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1464788350.109:1658): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenconsoled comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1464788350.135:1659): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenconsoled comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1464788350.137:1660): avc: denied { rlimitinh } for pid=3480 comm="xenconsoled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788350.137:1661): avc: denied { noatsecure } for pid=3480 comm="xenconsoled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=process permissive=1 type=AVC msg=audit(1464788350.139:1662): avc: denied { sys_resource } for pid=3480 comm="xenconsoled" capability=24 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=1
Michael, I apologize. I dropped ball on this bug. Is there a chance you could try to add this local policy # cat mypol.cil (allow xenstored_t xenstored_t (capability (net_admin))) # semodule -i mypol.cim and re-test it? Thank you.
I am using selinux-policy-3.13.1-191.12.fc24.noarch, and now both the Xen and VirtualBox modules load on boot. It appears that this is fixed on my computer. See also bug #1322625.
*** Bug 1334511 has been marked as a duplicate of this bug. ***
Persist in Fedora 26 Alpha # rpm -qa selinux\* selinux-policy-targeted-3.13.1-249.fc26.noarch selinux-policy-3.13.1-249.fc26.noarch
I was mistaken in comment #4. I suspect that my custom policy work remained after I installed the package cited in the comment. This problem does indeed seem to remain.