Description of problem: When running "xm create -c <vm>" I get the following error: xenconsole: Could not read tty from store: No such file or directory and the console (fb or vnc) is not started, although the VM is Version-Release number of selected component (if applicable): kernel-xen-2.6.18-1.2704.el5 xen-3.0.2-39 libvirt-0.1.6-1 selinux-policy-targeted-2.3.14-6 How reproducible: 100% Steps to Reproduce: 1. create a VM with xenguest-install 2. restart the VM with xm create -c Additional info: snippets from audit.log: type=ANOM_PROMISCUOUS msg=audit(1159457584.800:42): dev=vif1.0 prom=256 old_prom=0 auid=4294967295 type=SYSCALL msg=audit(1159457584.800:42): arch=40000003 syscall=54 success=yes exit=0 a0=3 a1=89a2 a2=bfebeaf0 a3=1 items=0 ppid=4798 pid=4866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1159457584.856:43): avc: denied { read write } for pid=4881 comm="ifconfig" name="rhnsat41.dsk" dev=dm-0 ino=10584067 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1159457584.856:43): arch=40000003 syscall=11 success=yes exit=0 a0=95aef20 a1=95af438 a2=95af330 a3=95af1f8 items=0 ppid=4854 pid=4881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null) type=AVC_PATH msg=audit(1159457584.856:43): path="/xen/rhnsat41.dsk" type=ANOM_PROMISCUOUS msg=audit(1159457584.868:44): dev=tap0 prom=256 old_prom=0 auid=4294967295 type=SYSCALL msg=audit(1159457584.868:44): arch=40000003 syscall=54 success=yes exit=0 a0=5 a1=89a2 a2=bfe54300 a3=1 items=0 ppid=4854 pid=4882 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:xend_t:s0 key=(null) type=AVC msg=audit(1159457585.676:45): avc: denied { search } for pid=4777 comm="qemu-dm" name="tmp" dev=dm-0 ino=6094849 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1159457585.676:45): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbe41a0 a2=43ed9b24 a3=13 items=0 ppid=2903 pid=4777 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null) type=AVC msg=audit(1159457585.676:46): avc: denied { name_connect } for pid=4777 comm="qemu-dm" dest=6000 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1159457585.676:46): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbe4180 a2=43ed9b24 a3=10 items=0 ppid=2903 pid=4777 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null) type=AVC msg=audit(1159457585.676:47): avc: denied { search } for pid=4777 comm="qemu-dm" name="tmp" dev=dm-0 ino=6094849 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1159457585.676:47): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbe4190 a2=43ed9b24 a3=13 items=0 ppid=2903 pid=4777 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null) type=AVC msg=audit(1159457585.676:48): avc: denied { name_connect } for pid=4777 comm="qemu-dm" dest=6000 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1159457585.676:48): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbe4170 a2=43ed9b24 a3=10 items=0 ppid=2903 pid=4777 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="qemu-dm" exe="/usr/lib/xen/bin/qemu-dm" subj=system_u:system_r:xend_t:s0 key=(null) type=ANOM_PROMISCUOUS msg=audit(1159457586.196:49): dev=tap0 prom=0 old_prom=256 auid=4294967295
/xen/rhnsat41.dsk is labeled wrong. It should be xen_image_t. xend needs to connect to XServer over tcp? Any idea what /usr/lib/xen/bin/qemu-dm is searching tmp for?
restorecon -R /xen fixed the labelling, but etc_runtime_t was the label originally given (perhaps by xenguest-install, or xen)? I don't know the answers to your other questions.
Fixed in selinux-policy-2.3.16-6
Adding to beta blocker since meets criteria and is already fixed.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering. This request is not yet committed for inclusion in release.