Description of problem: As of current Fedora 29, SELinux blocks service xenconsoled which can be verified by querying its status: $ systemctl status xenconsoled ● xenconsoled.service - Xenconsoled - handles logging from guest consoles and hypervisor Loaded: loaded (/usr/lib/systemd/system/xenconsoled.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2019-02-20 20:39:59 CET; 54s ago Process: 2234 ExecStart=/usr/sbin/xenconsoled -i --log=${XENCONSOLED_TRACE} --log-dir=${XENCONSOLED_LOG_DIR} $XENCONSOLED_ARGS (code=exited, status=1/FAILURE) Process: 2233 ExecStartPre=/bin/mkdir -p ${XENCONSOLED_LOG_DIR} (code=exited, status=0/SUCCESS) Process: 2213 ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities (code=exited, status=0/SUCCESS) Main PID: 2234 (code=exited, status=1/FAILURE) Feb 20 20:39:59 noname systemd[1]: Starting Xenconsoled - handles logging from guest consoles and hypervisor... Feb 20 20:39:59 noname systemd[1]: Started Xenconsoled - handles logging from guest consoles and hypervisor. Feb 20 20:39:59 noname xenconsoled[2234]: xencall: error: Error on trying to open hypercall buffer device: Permission denied Feb 20 20:39:59 noname xenconsoled[2234]: Failed to contact hypervisor (Permission denied) Feb 20 20:39:59 noname systemd[1]: xenconsoled.service: Main process exited, code=exited, status=1/FAILURE Feb 20 20:39:59 noname systemd[1]: xenconsoled.service: Failed with result 'exit-code'. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.2-49.fc29 How reproducible: Always Steps to Reproduce: 1. Boot Fedora 29 w/Xen. 2. Check status of service xenconsoled. Actual results: Start of service xenconsoled fails. Expected results: Service xenconsoled starts successfully and runs as expected. Additional info: After setting permissive mode, service xenconsoled starts successfully and runs as expected.
Hi, Could you please re-test your scenario and attach output of: # ausearch -m AVC -ts today Thanks, Lukas.
---- time->Thu Feb 21 09:15:57 2019 type=AVC msg=audit(1550736957.427:290): avc: denied { write } for pid=2871 comm="grub2-set-bootf" name="grubenv" dev="sda1" ino=28 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1 023 tcontext=unconfined_u:object_r:boot_t:s0 tclass=file permissive=0 ---- time->Thu Feb 21 16:28:40 2019 type=AVC msg=audit(1550762920.048:115): avc: denied { remount } for pid=1264 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_li b_t:s0 tclass=filesystem permissive=1 ---- time->Thu Feb 21 16:28:42 2019 type=AVC msg=audit(1550762922.400:123): avc: denied { sys_resource } for pid=1281 comm="xenconsoled" capability=24 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system _u:system_r:xenconsoled_t:s0 tclass=capability permissive=1 ---- time->Thu Feb 21 16:28:42 2019 type=AVC msg=audit(1550762922.401:124): avc: denied { getattr } for pid=1281 comm="xenconsoled" path="/run/xenstored/socket" dev="tmpfs" ino=25977 scontext=system_u:system_r:x enconsoled_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 ---- time->Thu Feb 21 16:28:42 2019 type=AVC msg=audit(1550762922.401:125): avc: denied { write } for pid=1281 comm="xenconsoled" name="socket" dev="tmpfs" ino=25977 scontext=system_u:system_r:xenconsoled_t:s0 t context=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 ---- time->Thu Feb 21 16:28:42 2019 type=AVC msg=audit(1550762922.402:126): avc: denied { read write } for pid=1281 comm="xenconsoled" name="hypercall" dev="devtmpfs" ino=18113 scontext=system_u:system_r:xencons oled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Thu Feb 21 16:28:42 2019 type=AVC msg=audit(1550762922.402:127): avc: denied { open } for pid=1281 comm="xenconsoled" path="/dev/xen/hypercall" dev="devtmpfs" ino=18113 scontext=system_u:system_r:xenc onsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Thu Feb 21 16:28:42 2019 type=AVC msg=audit(1550762922.405:128): avc: denied { map } for pid=1281 comm="xenconsoled" path="/dev/xen/hypercall" dev="devtmpfs" ino=18113 scontext=system_u:system_r:xenco nsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 ---- time->Thu Feb 21 16:29:07 2019 type=AVC msg=audit(1550762947.944:234): avc: denied { remount } for pid=1742 comm="(-localed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_li b_t:s0 tclass=filesystem permissive=1 ---- time->Thu Feb 21 16:29:12 2019 type=AVC msg=audit(1550762952.526:239): avc: denied { remount } for pid=1865 comm="(fprintd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib _t:s0 tclass=filesystem permissive=1
Note that the log file which was produced in permissive mode also includes alerts related to service xenstored which you might want to fix, too.
Following SELinux denials are visible on my Fedora 29 machine when booted with Xen grub option: ---- type=PROCTITLE msg=audit(03/14/2019 18:29:09.898:87) : proctitle=(imesyncd) type=SYSCALL msg=audit(03/14/2019 18:29:09.898:87) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x559579c59450 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=0 ppid=1 pid=650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(imesyncd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:09.898:87) : avc: denied { remount } for pid=650 comm=(imesyncd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:11.269:125) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console type=SYSCALL msg=audit(03/14/2019 18:29:11.269:125) : arch=x86_64 syscall=prlimit64 success=no exit=EPERM(Operation not permitted) a0=0x0 a1=0x7 a2=0x7ffd8ba47740 a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:11.269:125) : avc: denied { sys_resource } for pid=774 comm=xenconsoled capability=sys_resource scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:11.281:127) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console type=SYSCALL msg=audit(03/14/2019 18:29:11.281:127) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=local a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:11.281:127) : avc: denied { create } for pid=774 comm=xenconsoled scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=unix_dgram_socket permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:11.284:128) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console type=SYSCALL msg=audit(03/14/2019 18:29:11.284:128) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x3 a1=TCGETS a2=0x7ffd8ba46f30 a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:11.284:128) : avc: denied { sys_tty_config } for pid=774 comm=xenconsoled capability=sys_tty_config scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:11.290:129) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console type=PATH msg=audit(03/14/2019 18:29:11.290:129) : item=0 name=/dev/xen/hypercall inode=19310 dev=00:06 mode=character,600 ouid=root ogid=root rdev=0a:33 obj=system_u:object_r:device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/14/2019 18:29:11.290:129) : cwd=/ type=SYSCALL msg=audit(03/14/2019 18:29:11.290:129) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fb072eab0ca a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:11.290:129) : avc: denied { read write } for pid=774 comm=xenconsoled name=hypercall dev="devtmpfs" ino=19310 scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:11.296:130) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console type=SYSCALL msg=audit(03/14/2019 18:29:11.296:130) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=local a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:11.296:130) : avc: denied { create } for pid=774 comm=xenconsoled scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=unix_dgram_socket permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:11.299:131) : proctitle=/usr/sbin/xenconsoled -i --log=none --log-dir=/var/log/xen/console type=SYSCALL msg=audit(03/14/2019 18:29:11.299:131) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x4 a1=TCGETS a2=0x7ffd8ba46f30 a3=0x0 items=0 ppid=1 pid=774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xenconsoled exe=/usr/sbin/xenconsoled subj=system_u:system_r:xenconsoled_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:11.299:131) : avc: denied { sys_tty_config } for pid=774 comm=xenconsoled capability=sys_tty_config scontext=system_u:system_r:xenconsoled_t:s0 tcontext=system_u:system_r:xenconsoled_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:12.674:134) : proctitle=(networkd) type=PATH msg=audit(03/14/2019 18:29:12.674:134) : item=0 name=/run/systemd/unit-root/var/lib/xenstored inode=21815 dev=00:2c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/14/2019 18:29:12.674:134) : cwd=/ type=SYSCALL msg=audit(03/14/2019 18:29:12.674:134) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x5595799da1f0 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=1 ppid=1 pid=778 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(networkd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:12.674:134) : avc: denied { remount } for pid=778 comm=(networkd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:12.906:137) : proctitle=(resolved) type=PATH msg=audit(03/14/2019 18:29:12.906:137) : item=0 name=/run/systemd/unit-root/var/lib/xenstored inode=21815 dev=00:2c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/14/2019 18:29:12.906:137) : cwd=/ type=SYSCALL msg=audit(03/14/2019 18:29:12.906:137) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x559579c909c0 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=1 ppid=1 pid=785 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(resolved) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:12.906:137) : avc: denied { remount } for pid=785 comm=(resolved) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 ---- type=PROCTITLE msg=audit(03/14/2019 18:29:12.981:139) : proctitle=(ostnamed) type=PATH msg=audit(03/14/2019 18:29:12.981:139) : item=0 name=/run/systemd/unit-root/var/lib/xenstored inode=21815 dev=00:2c mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(03/14/2019 18:29:12.981:139) : cwd=/ type=SYSCALL msg=audit(03/14/2019 18:29:12.981:139) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x0 a1=0x559579c88ad0 a2=0x0 a3=MS_RDONLY|MS_REMOUNT|MS_BIND items=1 ppid=1 pid=791 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(ostnamed) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(03/14/2019 18:29:12.981:139) : avc: denied { remount } for pid=791 comm=(ostnamed) scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:xenstored_var_lib_t:s0 tclass=filesystem permissive=0 ---- # rpm -qa selinux-policy\* xen\* | sort selinux-policy-3.14.2-49.fc29.noarch selinux-policy-devel-3.14.2-49.fc29.noarch selinux-policy-doc-3.14.2-49.fc29.noarch selinux-policy-minimum-3.14.2-49.fc29.noarch selinux-policy-mls-3.14.2-49.fc29.noarch selinux-policy-sandbox-3.14.2-49.fc29.noarch selinux-policy-targeted-3.14.2-49.fc29.noarch xen-hypervisor-4.11.1-4.fc29.x86_64 xen-libs-4.11.1-4.fc29.x86_64 xen-licenses-4.11.1-4.fc29.x86_64 xen-runtime-4.11.1-4.fc29.x86_64 #
Not all Xen devices are labeled correctly: # ls -lZ /dev/xen/ total 0 crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 55 Mar 14 18:29 evtchn crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 53 Mar 14 18:29 gntalloc crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 54 Mar 14 18:29 gntdev crw-------. 1 root root system_u:object_r:device_t:s0 10, 51 Mar 14 18:29 hypercall crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 52 Mar 14 18:29 privcmd crw-------. 1 root root system_u:object_r:xen_device_t:s0 10, 62 Mar 14 18:29 xenbus crw-------. 1 root root system_u:object_r:device_t:s0 10, 61 Mar 14 18:29 xenbus_backend # matchpathcon /dev/xen/hypercall /dev/xen/hypercall system_u:object_r:device_t:s0 # matchpathcon /dev/xen/xenbus_backend /dev/xen/xenbus_backend system_u:object_r:device_t:s0 #
# service xenstored status Redirecting to /bin/systemctl status xenstored.service ● xenstored.service - The Xen xenstore Loaded: loaded (/usr/lib/systemd/system/xenstored.service; enabled; vendor p> Active: active (exited) since Thu 2019-03-14 20:27:30 CET; 3min 14s ago Process: 771 ExecStartPost=/usr/libexec/xen/bin/xen-init-dom0 (code=exited, s> Process: 740 ExecStart=/etc/xen/scripts/launch-xenstore (code=exited, status=> Process: 723 ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities (code> Main PID: 740 (code=exited, status=0/SUCCESS) Tasks: 1 (limit: 2085) Memory: 1.9M CGroup: /system.slice/xenstored.service └─757 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid Mar 14 20:27:29 localhost.localdomain systemd[1]: Starting The Xen xenstore... Mar 14 20:27:30 localhost.localdomain xenstored[757]: Checking store ... Mar 14 20:27:30 localhost.localdomain xenstored[757]: Checking store complete. Mar 14 20:27:30 localhost.localdomain launch-xenstore[740]: Starting /usr/sbin/> Mar 14 20:27:30 localhost.localdomain xen-init-dom0[771]: Done setting up Dom0 Mar 14 20:27:30 localhost.localdomain systemd[1]: Started The Xen xenstore. # ps -efZ | grep xenstored system_u:system_r:unconfined_service_t:s0 root 757 1 0 20:27 ? 00:00:00 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1839 1748 0 20:30 pts/0 00:00:00 grep --color=auto xenstored # ls -dZ /run/xenstored/ system_u:object_r:var_run_t:s0 /run/xenstored/ # ls -lZ /run/xenstored/ total 0 srw-------. 1 root root system_u:object_r:var_run_t:s0 0 Mar 14 20:27 socket srw-rw----. 1 root root system_u:object_r:var_run_t:s0 0 Mar 14 20:27 socket_ro # restorecon -Rv /run/xenstored/ Relabeled /run/xenstored from system_u:object_r:var_run_t:s0 to system_u:object_r:xenstored_var_run_t:s0 Relabeled /run/xenstored/socket_ro from system_u:object_r:var_run_t:s0 to system_u:object_r:xenstored_var_run_t:s0 Relabeled /run/xenstored/socket from system_u:object_r:var_run_t:s0 to system_u:object_r:xenstored_var_run_t:s0 #
commit 94c731acae19b1f40a746ba4943638710b18d766 (HEAD -> rawhide, origin/rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Mar 15 10:32:25 2019 +0100 Label /dev/xen/hypercall and /dev/xen/xenbus_backend as xen_device_t Resolves: rhbz#1679293 commit dc92f2da061156c3e952a6b910dc49fc47c44d25 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Mar 15 10:40:28 2019 +0100 Update xen SELinux module Resolves: rhbz#1679293 - Added capabilities sys_resource and sys_tty_config for xenconsoled_t - Allow xenconsoled_t to create dgram sockets
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.