1679293 – [selinux-policy-targeted] xenconsoled.service: Failed with result 'exit-code'

Bug 1679293 - [selinux-policy-targeted] xenconsoled.service: Failed with result 'exit-code'

Summary: [selinux-policy-targeted] xenconsoled.service: Failed with result 'exit-code'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	noarch
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-20 20:13 UTC by Joachim Frieben
Modified:	2019-04-08 01:52 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.2-53.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-08 01:52:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joachim Frieben 2019-02-20 20:13:02 UTC

Description of problem:
As of current Fedora 29, SELinux blocks service xenconsoled which can be verified by querying its status:

$ systemctl status xenconsoled
● xenconsoled.service - Xenconsoled - handles logging from guest consoles and hypervisor
   Loaded: loaded (/usr/lib/systemd/system/xenconsoled.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-02-20 20:39:59 CET; 54s ago
  Process: 2234 ExecStart=/usr/sbin/xenconsoled -i --log=${XENCONSOLED_TRACE} --log-dir=${XENCONSOLED_LOG_DIR} $XENCONSOLED_ARGS (code=exited, status=1/FAILURE)
  Process: 2233 ExecStartPre=/bin/mkdir -p ${XENCONSOLED_LOG_DIR} (code=exited, status=0/SUCCESS)
  Process: 2213 ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities (code=exited, status=0/SUCCESS)
 Main PID: 2234 (code=exited, status=1/FAILURE)

Feb 20 20:39:59 noname systemd[1]: Starting Xenconsoled - handles logging from guest consoles and hypervisor...
Feb 20 20:39:59 noname systemd[1]: Started Xenconsoled - handles logging from guest consoles and hypervisor.
Feb 20 20:39:59 noname xenconsoled[2234]: xencall: error: Error on trying to open hypercall buffer device: Permission denied
Feb 20 20:39:59 noname xenconsoled[2234]: Failed to contact hypervisor (Permission denied)
Feb 20 20:39:59 noname systemd[1]: xenconsoled.service: Main process exited, code=exited, status=1/FAILURE
Feb 20 20:39:59 noname systemd[1]: xenconsoled.service: Failed with result 'exit-code'.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.2-49.fc29

How reproducible:
Always

Steps to Reproduce:
1. Boot Fedora 29 w/Xen.
2. Check status of service xenconsoled.

Actual results:
Start of service xenconsoled fails.

Expected results:
Service xenconsoled starts successfully and runs as expected.

Additional info:
After setting permissive mode, service xenconsoled starts successfully and runs as expected.

Comment 1 Lukas Vrabec 2019-02-21 08:54:56 UTC

Hi, 

Could you please re-test your scenario and attach output of:

# ausearch -m AVC -ts today

Thanks,
Lukas.

Comment 2 Joachim Frieben 2019-02-21 15:57:08 UTC

----
time->Thu Feb 21 09:15:57 2019
type=AVC msg=audit(1550736957.427:290): avc:  denied  { write } for  pid=2871 comm="grub2-set-bootf" name="grubenv" dev="sda1" ino=28 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1
023 tcontext=unconfined_u:object_r:boot_t:s0 tclass=file permissive=0
----
time->Thu Feb 21 16:28:40 2019
type=AVC msg=audit(1550762920.048:115): avc:  denied  { remount } for  pid=1264 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_li
b_t:s0 tclass=filesystem permissive=1
----
time->Thu Feb 21 16:28:42 2019
type=AVC msg=audit(1550762922.400:123): avc:  denied  { sys_resource } for  pid=1281 comm="xenconsoled" capability=24  scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system
_u:system_r:xenconsoled_t:s0 tclass=capability permissive=1
----
time->Thu Feb 21 16:28:42 2019
type=AVC msg=audit(1550762922.401:124): avc:  denied  { getattr } for  pid=1281 comm="xenconsoled" path="/run/xenstored/socket" dev="tmpfs" ino=25977 scontext=system_u:system_r:x
enconsoled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
----
time->Thu Feb 21 16:28:42 2019
type=AVC msg=audit(1550762922.401:125): avc:  denied  { write } for  pid=1281 comm="xenconsoled" name="socket" dev="tmpfs" ino=25977 scontext=system_u:system_r:xenconsoled_t:s0 t
context=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
----
time->Thu Feb 21 16:28:42 2019
type=AVC msg=audit(1550762922.402:126): avc:  denied  { read write } for  pid=1281 comm="xenconsoled" name="hypercall" dev="devtmpfs" ino=18113 scontext=system_u:system_r:xencons
oled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Thu Feb 21 16:28:42 2019
type=AVC msg=audit(1550762922.402:127): avc:  denied  { open } for  pid=1281 comm="xenconsoled" path="/dev/xen/hypercall" dev="devtmpfs" ino=18113 scontext=system_u:system_r:xenc
onsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Thu Feb 21 16:28:42 2019
type=AVC msg=audit(1550762922.405:128): avc:  denied  { map } for  pid=1281 comm="xenconsoled" path="/dev/xen/hypercall" dev="devtmpfs" ino=18113 scontext=system_u:system_r:xenco
nsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
----
time->Thu Feb 21 16:29:07 2019
type=AVC msg=audit(1550762947.944:234): avc:  denied  { remount } for  pid=1742 comm="(-localed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_li
b_t:s0 tclass=filesystem permissive=1
----
time->Thu Feb 21 16:29:12 2019
type=AVC msg=audit(1550762952.526:239): avc:  denied  { remount } for  pid=1865 comm="(fprintd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib
_t:s0 tclass=filesystem permissive=1

Comment 3 Joachim Frieben 2019-02-21 15:59:06 UTC

Note that the log file which was produced in permissive mode also includes alerts related to service xenstored which you might want to fix, too.

Comment 4 Milos Malik 2019-03-14 17:36:28 UTC

Following SELinux denials are visible on my Fedora 29 machine when booted with Xen grub option:
----
type=PROCTITLE msg=audit(03/14/2019 18:29:09.898:87) : proctitle=(imesyncd) 
type=SYSCALL msg=audit(03/14/2019 18:29:09.898:87) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x559579c59450 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=0 ppid=1 pid=650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(imesyncd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:09.898:87) : avc:  denied  { remount } for  pid=650 comm=(imesyncd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:11.269:125) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console 
type=SYSCALL msg=audit(03/14/2019 18:29:11.269:125) : arch=x86_64 syscall=prlimit64 success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x7 a2=0x7ffd8ba47740 a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:11.269:125) : avc:  denied  { sys_resource } for  pid=774 comm=xenconsoled capability=sys_resource  scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:11.281:127) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console 
type=SYSCALL msg=audit(03/14/2019 18:29:11.281:127) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=local a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:11.281:127) : avc:  denied  { create } for  pid=774 comm=xenconsoled scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:11.284:128) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console 
type=SYSCALL msg=audit(03/14/2019 18:29:11.284:128) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=TCGETS a2=0x7ffd8ba46f30 a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:11.284:128) : avc:  denied  { sys_tty_config } for  pid=774 comm=xenconsoled capability=sys_tty_config  scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:11.290:129) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console 
type=PATH msg=audit(03/14/2019 18:29:11.290:129) : item=0 name=/dev/xen/hypercall inode=19310 dev=00:06 mode=character,600 ouid=root ogid=root rdev=0a:33 obj=system_u:object_r:device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/14/2019 18:29:11.290:129) : cwd=/ 
type=SYSCALL msg=audit(03/14/2019 18:29:11.290:129) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fb072eab0ca a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:11.290:129) : avc:  denied  { read write } for  pid=774 comm=xenconsoled name=hypercall dev="devtmpfs" ino=19310 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:11.296:130) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console 
type=SYSCALL msg=audit(03/14/2019 18:29:11.296:130) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=local a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:11.296:130) : avc:  denied  { create } for  pid=774 comm=xenconsoled scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=unix_dgram_socket permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:11.299:131) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console 
type=SYSCALL msg=audit(03/14/2019 18:29:11.299:131) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x4 a1=TCGETS a2=0x7ffd8ba46f30 a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:11.299:131) : avc:  denied  { sys_tty_config } for  pid=774 comm=xenconsoled capability=sys_tty_config  scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:12.674:134) : proctitle=(networkd) 
type=PATH msg=audit(03/14/2019 18:29:12.674:134) : item=0 name=/run/systemd/unit-root/var/lib/xenstored inode=21815 dev=00:2c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/14/2019 18:29:12.674:134) : cwd=/ 
type=SYSCALL msg=audit(03/14/2019 18:29:12.674:134) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x5595799da1f0 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=1 ppid=1 pid=778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(networkd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:12.674:134) : avc:  denied  { remount } for  pid=778 comm=(networkd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:12.906:137) : proctitle=(resolved) 
type=PATH msg=audit(03/14/2019 18:29:12.906:137) : item=0 name=/run/systemd/unit-root/var/lib/xenstored inode=21815 dev=00:2c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/14/2019 18:29:12.906:137) : cwd=/ 
type=SYSCALL msg=audit(03/14/2019 18:29:12.906:137) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x559579c909c0 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=1 ppid=1 pid=785 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(resolved) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:12.906:137) : avc:  denied  { remount } for  pid=785 comm=(resolved) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(03/14/2019 18:29:12.981:139) : proctitle=(ostnamed) 
type=PATH msg=audit(03/14/2019 18:29:12.981:139) : item=0 name=/run/systemd/unit-root/var/lib/xenstored inode=21815 dev=00:2c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/14/2019 18:29:12.981:139) : cwd=/ 
type=SYSCALL msg=audit(03/14/2019 18:29:12.981:139) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x559579c88ad0 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=1 ppid=1 pid=791 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(ostnamed) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(03/14/2019 18:29:12.981:139) : avc:  denied  { remount } for  pid=791 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux-policy\* xen\* | sort
selinux-policy-3.14.2-49.fc29.noarch
selinux-policy-devel-3.14.2-49.fc29.noarch
selinux-policy-doc-3.14.2-49.fc29.noarch
selinux-policy-minimum-3.14.2-49.fc29.noarch
selinux-policy-mls-3.14.2-49.fc29.noarch
selinux-policy-sandbox-3.14.2-49.fc29.noarch
selinux-policy-targeted-3.14.2-49.fc29.noarch
xen-hypervisor-4.11.1-4.fc29.x86_64
xen-libs-4.11.1-4.fc29.x86_64
xen-licenses-4.11.1-4.fc29.x86_64
xen-runtime-4.11.1-4.fc29.x86_64
#

Comment 5 Milos Malik 2019-03-14 17:39:21 UTC

Not all Xen devices are labeled correctly:

# ls -lZ /dev/xen/
total 0
crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 55 Mar 14 18:29 evtchn
crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 53 Mar 14 18:29 gntalloc
crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 54 Mar 14 18:29 gntdev
crw-------. 1 root root system_u:object_r:device_t:s0     10, 51 Mar 14 18:29 hypercall
crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 52 Mar 14 18:29 privcmd
crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 62 Mar 14 18:29 xenbus
crw-------. 1 root root system_u:object_r:device_t:s0     10, 61 Mar 14 18:29 xenbus_backend
# matchpathcon /dev/xen/hypercall 
/dev/xen/hypercall	system_u:object_r:device_t:s0
# matchpathcon /dev/xen/xenbus_backend 
/dev/xen/xenbus_backend	system_u:object_r:device_t:s0
#

Comment 6 Milos Malik 2019-03-14 19:31:29 UTC

# service xenstored status
Redirecting to /bin/systemctl status xenstored.service
● xenstored.service - The Xen xenstore
   Loaded: loaded (/usr/lib/systemd/system/xenstored.service; enabled; vendor p>
   Active: active (exited) since Thu 2019-03-14 20:27:30 CET; 3min 14s ago
  Process: 771 ExecStartPost=/usr/libexec/xen/bin/xen-init-dom0 (code=exited, s>
  Process: 740 ExecStart=/etc/xen/scripts/launch-xenstore (code=exited, status=>
  Process: 723 ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities (code>
 Main PID: 740 (code=exited, status=0/SUCCESS)
    Tasks: 1 (limit: 2085)
   Memory: 1.9M
   CGroup: /system.slice/xenstored.service
           └─757 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid

Mar 14 20:27:29 localhost.localdomain systemd[1]: Starting The Xen xenstore...
Mar 14 20:27:30 localhost.localdomain xenstored[757]: Checking store ...
Mar 14 20:27:30 localhost.localdomain xenstored[757]: Checking store complete.
Mar 14 20:27:30 localhost.localdomain launch-xenstore[740]: Starting /usr/sbin/>
Mar 14 20:27:30 localhost.localdomain xen-init-dom0[771]: Done setting up Dom0
Mar 14 20:27:30 localhost.localdomain systemd[1]: Started The Xen xenstore.
# ps -efZ | grep xenstored
system_u:system_r:unconfined_service_t:s0 root 757 1  0 20:27 ?        00:00:00 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1839 1748  0 20:30 pts/0 00:00:00 grep --color=auto xenstored
# ls -dZ /run/xenstored/
system_u:object_r:var_run_t:s0 /run/xenstored/
# ls -lZ /run/xenstored/
total 0
srw-------. 1 root root system_u:object_r:var_run_t:s0 0 Mar 14 20:27 socket
srw-rw----. 1 root root system_u:object_r:var_run_t:s0 0 Mar 14 20:27 socket_ro
# restorecon -Rv /run/xenstored/
Relabeled /run/xenstored from system_u:object_r:var_run_t:s0 to system_u:object_r:xenstored_var_run_t:s0
Relabeled /run/xenstored/socket_ro from system_u:object_r:var_run_t:s0 to system_u:object_r:xenstored_var_run_t:s0
Relabeled /run/xenstored/socket from system_u:object_r:var_run_t:s0 to system_u:object_r:xenstored_var_run_t:s0
#

Comment 7 Lukas Vrabec 2019-03-15 09:44:07 UTC

commit 94c731acae19b1f40a746ba4943638710b18d766 (HEAD -> rawhide, origin/rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Mar 15 10:32:25 2019 +0100

    Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t
    Resolves: rhbz#1679293

commit dc92f2da061156c3e952a6b910dc49fc47c44d25 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Mar 15 10:40:28 2019 +0100

    Update xen SELinux module
    
    Resolves: rhbz#1679293
    
    - Added capabilities sys_resource and sys_tty_config for xenconsoled_t
    - Allow xenconsoled_t to create dgram sockets

Comment 8 Fedora Update System 2019-04-05 17:27:46 UTC

selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7

Comment 9 Fedora Update System 2019-04-06 20:51:05 UTC

selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7

Comment 10 Fedora Update System 2019-04-08 01:52:53 UTC

selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.