Red Hat Bugzilla – Bug 195952
SELinux doesn't let xen create directories in /var/run
Last modified: 2007-11-30 17:11:35 EST
Description of problem:
xend wants to create /var/run/xend when it is first run, SELinux doesn't let
it. Dito xenstored wanting to create /var/run/xenstored.
The best fix here is to create the directories inside the init.d script, so the
daemon don't need extra permissions. I'm attaching a patch which does that.
Created attachment 131157 [details]
fixup the init.d file to create the directories that xend/senstored can't
Do we want the initscript to or should the directories be created by the
_package_ so that the contexts end up correct?
Well I wanted it to work in case someone did:
rm -rf /var/run/*
...AFAIK that's valid, no?
I call restorecon on the directories after mkdir'ing them. So they have the
If it's fine to assume that any directories under /var/run will __never be
removed__, then sure, move it to the pacakge.
The only problem with that is if anyone ever does remove them, it'll only fail
with SELinux in enforcing mode ... and won't print anything helpful (xen even
boots, it just isn't that useful because there isn't a socket in /var/run/xend
for xm for to communicate with it).
If someone does 'rm -rf /var/run*' then they're going to get a lot of SELinux
errors. Look at what other dirs are in there :)
So let's just go for adding the dirs to the package. This also has the
advantage of then not being a patch against the initscript to have to maintain
forever (since it probably wouldn't be accepted upstream)
Fixed for -9