Bug 241716 - Xen broken by FC6 update of selinux-policy-targeted
Xen broken by FC6 update of selinux-policy-targeted
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-29 14:50 EDT by Michal Schmidt
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.4.6-74.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-03 12:28:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Schmidt 2007-05-29 14:50:43 EDT
Description of problem:
The FC6 update of selinux-policy-targeted from version 2.4.6-62 to 2.4.6-69 
broke Xen. Attempts to start xend are blocked by SELinux:

avc: denied { execute } for comm="python" dev=dm-0 egid=0 euid=0 
exe="/usr/bin/python" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="bash" 
pid=6053 scontext=user_u:system_r:xend_t:s0 sgid=0 
subj=user_u:system_r:xend_t:s0 suid=0 tclass=file 
tcontext=system_u:object_r:shell_exec_t:s0 tty=pts0 uid=0 

I suspect this change in policy-20061106.patch:
@@ -13249,6 +13433,15 @@ diff --exclude-from=exclude -N -u -r nsa
  # var/lib files for xend
  allow xend_t xend_var_lib_t:file create_file_perms;
  allow xend_t xend_var_lib_t:sock_file create_file_perms;
+@@ -131,7 +138,7 @@
+ 
+ corecmd_exec_sbin(xend_t)
+ corecmd_exec_bin(xend_t)
+-corecmd_exec_shell(xend_t)
++corecmd_exec_ls(xend_t)
+ 
+ corenet_non_ipsec_sendrecv(xend_t)
+ corenet_tcp_sendrecv_all_if(xend_t)
 @@ -143,6 +150,7 @@
  corenet_tcp_bind_generic_port(xend_t)
  corenet_tcp_bind_vnc_port(xend_t)


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-69.fc6.noarch
xen-3.0.3-8.fc6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Try running /etc/init.d/xend start
  
Actual results:
xend fails to start

Expected results:
xend starts successfully
Comment 1 Matěj Cepl 2007-05-30 11:59:00 EDT
The same thing -- xend doesn't start (FC6 x86_64, the versions of pacakges below):

type=AVC msg=audit(1180540470.001:5304): avc:  denied  { execute } for 
pid=21686 comm="python" name="bash" dev=dm-1 in
o=2422498 scontext=user_u:system_r:xend_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1180540470.001:5304): arch=c000003e syscall=59 success=no
exit=-13 a0=3ec9517213 a1=7fffb6e03cd0
 a2=7fffb6e06c28 a3=2aaaaaabffd0 items=0 ppid=21685 pid=21686 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 comm="python" exe="/usr/bin/python"
subj=user_u:system_r:xend_t:s0 key=(null)
type=AVC msg=audit(1180540470.353:5305): avc:  denied  { execute } for 
pid=21697 comm="python" name="bash" dev=dm-1 in
o=2422498 scontext=user_u:system_r:xend_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1180540470.353:5305): arch=c000003e syscall=59 success=no
exit=-13 a0=3ec9517213 a1=7fff79c24880
 a2=7fff79c27a48 a3=2aaaaaabffd0 items=0 ppid=21696 pid=21697 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=pts0 comm="python" exe="/usr/bin/python"
subj=user_u:system_r:xend_t:s0 key=(null)
sh-3.1# rpm -q xen
xen-3.0.3-8.fc6
sh-3.1# rpm -qa selinux\*
selinux-policy-2.4.6-69.fc6
selinux-policy-targeted-2.4.6-69.fc6
sh-3.1# 
Comment 2 Michal Schmidt 2007-06-03 12:28:03 EDT
Works again after updating to selinux-policy-targeted-2.4.6-74.fc6. Thanks.

Note You need to log in before you can comment on or make changes to this bug.