Description of problem: xend wants to create /var/run/xend when it is first run, SELinux doesn't let it. Dito xenstored wanting to create /var/run/xenstored. How reproducible: Always Additional info: The best fix here is to create the directories inside the init.d script, so the daemon don't need extra permissions. I'm attaching a patch which does that.
Created attachment 131157 [details] fixup the init.d file to create the directories that xend/senstored can't
Do we want the initscript to or should the directories be created by the _package_ so that the contexts end up correct?
Well I wanted it to work in case someone did: rm -rf /var/run/* ...AFAIK that's valid, no? I call restorecon on the directories after mkdir'ing them. So they have the correct contexts. If it's fine to assume that any directories under /var/run will __never be removed__, then sure, move it to the pacakge. The only problem with that is if anyone ever does remove them, it'll only fail with SELinux in enforcing mode ... and won't print anything helpful (xen even boots, it just isn't that useful because there isn't a socket in /var/run/xend for xm for to communicate with it).
If someone does 'rm -rf /var/run*' then they're going to get a lot of SELinux errors. Look at what other dirs are in there :) So let's just go for adding the dirs to the package. This also has the advantage of then not being a patch against the initscript to have to maintain forever (since it probably wouldn't be accepted upstream)
Fixed for -9