Description of problem: When starting a new guest VM, multiple AVC denials are logged. There seem to be two general classes of problem: 1. The hotplug scripts are running under a confined udev_t context which doesn't have ability to do the various disk / network setup tasks xen requires 2. Xend needs to be able to create fifos to deal with bootlodaer interaction This can be seen from the audi2allow suggests: # audit2allow < /var/log/audit/audit.log #============= udev_t ============== allow udev_t proc_xen_t:dir search; allow udev_t proc_xen_t:file { read write getattr }; allow udev_t xen_image_t:dir { getattr search }; allow udev_t xen_image_t:file getattr; allow udev_t xend_var_lib_t:dir { getattr search }; allow udev_t xend_var_log_t:dir search; #============= xend_t ============== allow xend_t var_run_t:fifo_file { read write create }; allow xend_t xend_tmp_t:file { read write rename unlink }; allow xend_t xend_var_run_t:fifo_file { read write create unlink }; Version-Release number of selected component (if applicable): selinux-policy-2.6.1-1.fc7 xen-3.1.0-0.rc7.1.fc7 How reproducible: Always Steps to Reproduce: 1. Start a Xen guest when SELinux is in permissive mode 2. 3. Actual results: Multiple AVCs Expected results: No AVCs Additional info: Will attach the complete audit log
Created attachment 154339 [details] Audit logs from just after VM creation
For me this error is characterised by the following message: xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.' It is indeed an SELinux problem. Setting SELinux mode to Permissive allows the install to complete. After this, dmesg | audit2allow shows a slightly different set of rules from the one that Dan reported above: #============= restorecon_t ============== allow restorecon_t xend_t:fd use; #============= udev_t ============== allow udev_t proc_xen_t:dir search; allow udev_t proc_xen_t:file { read write getattr }; allow udev_t xen_image_t:dir { getattr search }; allow udev_t xen_image_t:file getattr; allow udev_t xend_var_lib_t:dir { getattr search }; allow udev_t xend_var_log_t:dir { write search add_name }; allow udev_t xend_var_log_t:file create; #============= xend_t ============== allow xend_t var_run_t:dir create; allow xend_t xend_tmp_t:file { write rename unlink };
Created attachment 154341 [details] dmesg just after successful creation in Permissive mode
Ignore my report about slightly different audit2allow rules. In fact mine match Dan's. 'allow restorecon_t' is caused by an earlier, unrelated error.
Fixed in selinux-policy-2.6.4-4.fc7
I have F7 installed with selinux-policy-2.6.4-8.fc7 and the problem is still there. When i try to create a virt guest using virt-manager, it fails with error message : Unable to complete install: 'virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.')' and a bunch of SELinux avc denials "SELinux is preventing vif-bridge (udev_t) "write" to xen (xend_var_log_t)." audit2allow </var/log/audit/audit.log: #============= udev_t ============== allow udev_t xend_var_log_t:dir write; #============= xend_t ============== allow xend_t var_run_t:dir create;
These do not make much sense. I can allow xend_t to create a new directory in /var/run or is this a mislabeled directory. udev wants to create a new file under xend_var_log_t? Please attach the audit.log
This looks like potential problem: type=AVC msg=audit(1181032164.422:48): avc: denied { read } for pid=4606 comm="python" name="F7" dev=0:15 ino=7778336 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1181032164.422:48): arch=40000003 syscall=195 success=no exit=-13 a0=94c0e18 a1=b3594d78 a2=4a0cdff4 a3=9564db0 items=0 ppid=2648 pid=4606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:xend_t:s0 key=(null) AVCs is from rawhide system rpm -q selinux-policy selinux-policy-2.6.5-2.fc8 A
Ok, i removed audit.log, restarted auditd and started the virtual machine. Here is the fresh audit.log
Created attachment 156198 [details] audit.log just after virtual machine startup
Fixed in selinux-policy-3.0.1-1.fc8
(In reply to comment #11) > Fixed in selinux-policy-3.0.1-1.fc8 Could be but I got same error during compilation which is in koji (http://koji.fedoraproject.org/koji/getfile?taskID=21821&name=build.log) A
Yes that is not released yet.