Bug 192813 - Xen hangs on boot with targeted policy enabled
Xen hangs on boot with targeted policy enabled
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
:
: 196474 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-23 07:23 EDT by Stephen Tweedie
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-11 16:53:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Log of full AVC errors reported in permissive mode (5.14 KB, text/plain)
2006-05-23 07:24 EDT, Stephen Tweedie
no flags Details

  None (edit)
Description Stephen Tweedie 2006-05-23 07:23:00 EDT
Description of problem:
With the targeted policy in enforcing mode, xend refuses to start, hanging on boot.

Version-Release number of selected component (if applicable):
kernel-xen0-2.6.16-1.2203_FC6
xen-3.0.2-4
selinux-policy-targeted-2.2.42-1

How reproducible:
100%

Steps to Reproduce:
1. yum install xen kernel-xen0
2. boot into the xen0 kernel
  
Actual results:
Boot hangs trying to run the xend service, with the AVC denial

Starting xend:  audit(1148382030.290:8): avc:  denied  { node_bind } for 
pid=2523 comm="python" src=8002 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=tcp_socket

Expected results:

xend to start without hanging.

Additional info:

Problem persists after a full relabel.
Comment 1 Stephen Tweedie 2006-05-23 07:24:37 EDT
Created attachment 129851 [details]
Log of full AVC errors reported in permissive mode

Permissive mode allows xend to boot but reports a huge raft of other AVC
denials too.
Comment 2 James Antill 2006-07-14 12:55:19 EDT
 This should be fixed with the latest policy/xen packages.
Comment 3 James Antill 2006-07-14 12:58:41 EDT
*** Bug 196474 has been marked as a duplicate of this bug. ***
Comment 4 Jón Fairbairn 2006-07-22 06:03:41 EDT
This is present in FC5 (x86_64) with 
xen-3.0.2-3.FC5
selinux-policy-2.3.2-1.fc5
selinux-policy-targeted-2.3.2-1.fc5

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

(current mode set to permissive to permit it to work...)

Would someone care to indicate a sensible workround short of setting permissive
mode?

Thanks.
Comment 6 Jarkko 2007-02-15 02:47:13 EST
> This should be fixed with the latest policy/xen packages.

Apparently we have a new denial. I'm running _latest_ Rawhide. "service xend
start" says:

Starting xend: audit(1171525328.065:7): avc:  denied  { getattr } for  pid=2523
comm="python" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 7 Jarkko 2007-02-15 02:54:41 EST
I switched to Permissive. Now "service xend start" says:

Starting xend: audit(1171525892.781:10): avc:  denied  { read write } for 
pid=2712 comm="xenstored" name="tty1" dev=tmpfs ino=1655
scontext=system_u:system_r:xenstored_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
audit(1171525892.781:11): avc:  denied  { use } for  pid=2712 comm="xenstored"
name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenstored_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
audit(1171525892.785:12): avc:  denied  { read write } for  pid=2715
comm="xenconsoled" name="tty1" dev=tmpfs ino=1655
scontext=system_u:system_r:xenconsoled_t:s0
tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
audit(1171525892.789:13): avc:  denied  { use } for  pid=2715 comm="xenconsoled"
name="tty1" dev=tmpfs ino=1655 scontext=system_u:system_r:xenconsoled_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=fd
audit(1171525892.821:14): avc:  denied  { getattr } for  pid=2723 comm="python"
name="/" dev=dm-0 ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Bridge firewalling registered
audit(1171525893.729:15): dev=vif0.0 prom=256 old_prom=0 auid=4294967295
audit(1171525895.833:16): dev=peth0 prom=256 old_prom=0 auid=4294967295
Comment 8 Jarkko 2007-02-15 03:02:03 EST
Oh, this bug was old. Sorry! I guess I should have opened a new bug for this
because this bug was about fc6 and my issue happens in Rawhide (Fedora 7).

Well, I think you saw the emails anyway, so I'm not opening a new one. :)
Comment 9 Stephen Tweedie 2007-02-19 15:43:52 EST
This bug is closed, so nobody is paying any attention to it.  Please open a new
one, it's just asking for engineers' brains to explode if you try to confuse too
many issues into one bugzilla report. :)  Seriously, it's far far easier to
track what's going on and assign bugs properly that way.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.