Bug 239449 - AVC: Xen hotplug scripts fail to run under udev_t
AVC: Xen hotplug scripts fail to run under udev_t
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-08 11:01 EDT by Daniel Berrange
Modified: 2007-11-30 17:12 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-10 10:45:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Audit logs from just after VM creation (16.77 KB, text/plain)
2007-05-08 11:01 EDT, Daniel Berrange
no flags Details
dmesg just after successful creation in Permissive mode (4.07 KB, text/plain)
2007-05-08 11:08 EDT, Richard W.M. Jones
no flags Details
audit.log just after virtual machine startup (4.95 KB, text/plain)
2007-06-05 06:24 EDT, Michal Babej
no flags Details

  None (edit)
Description Daniel Berrange 2007-05-08 11:01:52 EDT
Description of problem:
When starting a new guest VM, multiple AVC denials are logged. There seem to be
two general classes of problem:

 1. The hotplug scripts are running under  a confined  udev_t context which
doesn't have ability to do the various disk / network setup tasks xen requires
 2. Xend needs to be able to create  fifos to deal with bootlodaer interaction

This can be seen from the audi2allow suggests:

# audit2allow < /var/log/audit/audit.log 

#============= udev_t ==============
allow udev_t proc_xen_t:dir search;
allow udev_t proc_xen_t:file { read write getattr };
allow udev_t xen_image_t:dir { getattr search };
allow udev_t xen_image_t:file getattr;
allow udev_t xend_var_lib_t:dir { getattr search };
allow udev_t xend_var_log_t:dir search;

#============= xend_t ==============
allow xend_t var_run_t:fifo_file { read write create };
allow xend_t xend_tmp_t:file { read write rename unlink };
allow xend_t xend_var_run_t:fifo_file { read write create unlink };


Version-Release number of selected component (if applicable):
selinux-policy-2.6.1-1.fc7
xen-3.1.0-0.rc7.1.fc7

How reproducible:
Always

Steps to Reproduce:
1. Start a Xen guest when SELinux is in permissive mode
2.
3.
  
Actual results:
Multiple AVCs

Expected results:
No AVCs

Additional info:
Will attach the complete audit log
Comment 1 Daniel Berrange 2007-05-08 11:01:52 EDT
Created attachment 154339 [details]
Audit logs from just after VM creation
Comment 2 Richard W.M. Jones 2007-05-08 11:05:49 EDT
For me this error is characterised by the following message:

xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.'

It is indeed an SELinux problem.  Setting SELinux mode to Permissive allows the
install to complete.  After this, dmesg | audit2allow shows a slightly different
set of rules from the one that Dan reported above:

#============= restorecon_t ==============
allow restorecon_t xend_t:fd use;

#============= udev_t ==============
allow udev_t proc_xen_t:dir search;
allow udev_t proc_xen_t:file { read write getattr };
allow udev_t xen_image_t:dir { getattr search };
allow udev_t xen_image_t:file getattr;
allow udev_t xend_var_lib_t:dir { getattr search };
allow udev_t xend_var_log_t:dir { write search add_name };
allow udev_t xend_var_log_t:file create;

#============= xend_t ==============
allow xend_t var_run_t:dir create;
allow xend_t xend_tmp_t:file { write rename unlink };
Comment 3 Richard W.M. Jones 2007-05-08 11:08:57 EDT
Created attachment 154341 [details]
dmesg just after successful creation in Permissive mode
Comment 4 Richard W.M. Jones 2007-05-08 11:13:06 EDT
Ignore my report about slightly different audit2allow rules.  In fact mine match
Dan's.  'allow restorecon_t' is caused by an earlier, unrelated error.
Comment 5 Daniel Walsh 2007-05-17 12:24:19 EDT
Fixed in selinux-policy-2.6.4-4.fc7
Comment 6 Michal Babej 2007-06-04 11:44:44 EDT
I have F7 installed with selinux-policy-2.6.4-8.fc7 and the problem is still
there. When i try to create a virt guest using virt-manager, it fails with error
message :

Unable to complete install: 'virDomainCreateLinux() failed POST operation
failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not
working.')' 

and a bunch of SELinux avc denials "SELinux is preventing vif-bridge (udev_t)
"write" to xen (xend_var_log_t)."

audit2allow </var/log/audit/audit.log:
#============= udev_t ==============
allow udev_t xend_var_log_t:dir write;

#============= xend_t ==============
allow xend_t var_run_t:dir create;

Comment 7 Daniel Walsh 2007-06-04 15:02:49 EDT
These do not make much sense.  I can allow xend_t to create a new directory in
/var/run or is this a mislabeled directory.  udev wants to create a new file
under xend_var_log_t?

Please attach the audit.log
Comment 8 Adam Tkac 2007-06-05 04:32:31 EDT
This looks like potential problem:

type=AVC msg=audit(1181032164.422:48): avc:  denied  { read } for  pid=4606
comm="python" name="F7" dev=0:15 ino=7778336
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:nfs_t:s0
tclass=lnk_file
type=SYSCALL msg=audit(1181032164.422:48): arch=40000003 syscall=195 success=no
exit=-13 a0=94c0e18 a1=b3594d78 a2=4a0cdff4 a3=9564db0 items=0 ppid=2648
pid=4606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0
key=(null)

AVCs is from rawhide system
rpm -q selinux-policy
selinux-policy-2.6.5-2.fc8

A
Comment 9 Michal Babej 2007-06-05 06:09:05 EDT
Ok, i removed audit.log, restarted auditd and started the virtual machine. Here
is the fresh audit.log
Comment 10 Michal Babej 2007-06-05 06:24:04 EDT
Created attachment 156198 [details]
audit.log just after virtual machine startup
Comment 11 Daniel Walsh 2007-06-05 08:15:56 EDT
Fixed in selinux-policy-3.0.1-1.fc8
Comment 12 Adam Tkac 2007-06-05 08:26:03 EDT
(In reply to comment #11)
> Fixed in selinux-policy-3.0.1-1.fc8
Could be but I got same error during compilation which is in koji
(http://koji.fedoraproject.org/koji/getfile?taskID=21821&name=build.log)

A
Comment 13 Daniel Walsh 2007-06-05 09:12:11 EDT
Yes that is not released yet.

Note You need to log in before you can comment on or make changes to this bug.