Bug 2114498 - SELinux policy prevents xenstored from starting
Summary: SELinux policy prevents xenstored from starting
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 36
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-02 18:17 UTC by W. Michael Petullo
Modified: 2022-08-20 01:44 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-36.14-1.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-20 01:44:40 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1317 0 None open Allow launch-xenstored read filesystem sysctls 2022-08-05 19:15:16 UTC
Github fedora-selinux selinux-policy pull 1324 0 None open Allow services execute systemd-notify 2022-08-09 13:32:15 UTC

Description W. Michael Petullo 2022-08-02 18:17:19 UTC 
Description of problem:
The SELinux policy is preventing xenstored from starting.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-36.10-1.fc36.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Boot the kernel under Xen as Dom0
2. Observe that xenstored does not start

Additional info:
Running "setenforce 0" allows xenstored to start. Here are the audit logs produced by running "systemctl start xenstored" when SELinux is in permissive mode:

Aug 02 13:10:18 doppelganger.flyn.org systemd[1]: Starting xenstored.service - The Xen xenstore...
Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc:  denied  { search } for  pid=949 comm="launch-xenstore" name="fs" dev="proc" ino=15591 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc:  denied  { read } for  pid=949 comm="launch-xenstore" name="nr_open" dev="proc" ino=15592 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[951]: AVC avc:  denied  { open } for  pid=951 comm="cat" path="/proc/sys/fs/nr_open" dev="proc" ino=15592 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[951]: AVC avc:  denied  { getattr } for  pid=951 comm="cat" path="/proc/sys/fs/nr_open" dev="proc" ino=15592 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[953]: AVC avc:  denied  { setrlimit } for  pid=953 comm="prlimit" scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc:  denied  { getattr } for  pid=949 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc:  denied  { execute } for  pid=949 comm="launch-xenstore" name="systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc:  denied  { read } for  pid=949 comm="launch-xenstore" name="systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[956]: AVC avc:  denied  { open } for  pid=956 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org audit[956]: AVC avc:  denied  { execute_no_trans } for  pid=956 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
Aug 02 13:10:18 doppelganger.flyn.org xenstored[955]: Checking store ...
Aug 02 13:10:18 doppelganger.flyn.org xenstored[955]: Checking store complete.
Aug 02 13:10:18 doppelganger.flyn.org launch-xenstore[949]: Starting /usr/sbin/xenstored...
Aug 02 13:10:18 doppelganger.flyn.org xen-init-dom0[959]: Done setting up Dom0
Aug 02 13:10:19 doppelganger.flyn.org systemd[1]: Started xenstored.service - The Xen xenstore.
Aug 02 13:10:19 doppelganger.flyn.org audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xenstored comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 1 Zdenek Pytela 2022-08-09 14:43:29 UTC 
The required SELinux permissions were added but note we are unable to test if it is sufficient if it requires kernel which is not in Fedora.
Comment 2 Fedora Update System 2022-08-12 07:56:19 UTC 
FEDORA-2022-70c63dd1e2 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2
Comment 3 Fedora Update System 2022-08-13 01:09:31 UTC 
FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-70c63dd1e2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-70c63dd1e2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2022-08-20 01:44:40 UTC 
FEDORA-2022-70c63dd1e2 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.