Description of problem: I've recently upgraded to Fedora 7 from Fedora Core 6. I'm trying to launch one of my Xen Guests using xm create GuestOS and I'm getting the following errors: SELinux is preventing xen-hotplug-cle (udev_t) "write" to xen (xend_var_log_t). and SELinux is preventing xen-hotplug-cle (udev_t) "add_name" to xen-hotplug.log (xend_var_log_t). I can't launch my guests! I've got the guest disk images in /var/lib/xen/images and the xen config files in /etc/xen just like they were in Fedora Core 6. I've also tried to create a new Xen guest, but get the same errors. Version-Release number of selected component (if applicable): xen - xen-3.1.0-0.rc7.1.fc7 How reproducible: every time. Steps to Reproduce: 1. xm create Guest 2. the xm command returns the following error: Error: Device 0 (vif) could not be connected. Hotplug scripts not working. 3. Actual results: Error: Device 0 (vif) could not be connected. Hotplug scripts not working. Expected results: Xen Guest OS should start. Additional info:
Created attachment 156526 [details] xend log
Created attachment 156527 [details] audit log
Looks like a policy bug to me - assigned to selinux policy.
I hope this information helps someone.. I'm trying to run Xen with a slightly newer xen and selinux policy (from fedora-updates-testing) and my error messages are slightly different when I try to create a new guest: 'Device 0 (vif) could not be connected. Hotplug scripts not working.' audit(1181937852.205:5): avc: denied { create } for pid=2808 comm="blktap" name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file audit(1181937852.241:6): avc: denied { create } for pid=2821 comm="vif-bridge" name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file audit(1181937952.474:7): avc: denied { create } for pid=2853 comm="vif-bridge" name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file audit(1181937952.534:8): avc: denied { create } for pid=2862 comm="blktap" name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file audit(1181937952.578:9): avc: denied { create } for pid=2879 comm="xen-hotplug-cle" name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file audit(1181937952.638:10): avc: denied { create } for pid=2883 comm="xen-hotplug-cle" name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file [root@xen images]# dmesg | audit2allow #============= udev_t ============== allow udev_t xend_var_log_t:file create; --- The relevant installed packages: kernel-xen-2.6.20-2925.11.fc7 xen-3.1.0-2.fc7 selinux-policy-targeted-2.6.4-14.fc7
Fixed in selinux-policy-2.6.4-17
Tested with selinux-policy-2.6.4-17, still no go.. [root@xen ~]# virt-install Would you like a fully virtualized guest (yes or no)? This will allow you to run unmodified operating systems. no What is the name of your virtual machine? gw How much RAM should be allocated (in megabytes)? 384 What would you like to use as the disk (path)? /var/lib/xen/images/gw Would you like to enable graphics support? (yes or no) no What is the install location? ftp://192.168.0.160/documents/fc7/x86_64/os/ Starting install... libvir: Xen Daemon error : GET operation failed: Retrieving Fedora... 192 kB 00:00 Retrieving vmlinuz... 100% |=========================| 1.8 MB 00:00 Retrieving initrd.img... 100% |=========================| 5.4 MB 00:01 libvir: Xen Daemon error : GET operation failed: libvir: Xen Daemon error : POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.') Traceback (most recent call last): File "/usr/sbin/virt-install", line 629, in <module> main() File "/usr/sbin/virt-install", line 578, in main dom = guest.start_install(conscb,progresscb) File "/usr/lib/python2.5/site-packages/virtinst/Guest.py", line 649, in start_install return self._do_install(consolecb, meter) File "/usr/lib/python2.5/site-packages/virtinst/Guest.py", line 666, in _do_install self.domain = self.conn.createLinux(install_xml, 0) File "/usr/lib64/python2.5/site-packages/libvirt.py", line 503, in createLinux if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self) libvirt.libvirtError: virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.') [root@xen ~]# dmesg audit(1182243207.872:6): avc: denied { search } for pid=2799 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243207.872:7): avc: denied { search } for pid=2799 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243207.928:8): avc: denied { search } for pid=2812 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243207.928:9): avc: denied { search } for pid=2812 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.156:10): avc: denied { search } for pid=2844 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.156:11): avc: denied { search } for pid=2844 comm="vif-bridge" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.216:12): avc: denied { search } for pid=2855 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.216:13): avc: denied { search } for pid=2855 comm="blktap" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.260:14): avc: denied { search } for pid=2870 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.260:15): avc: denied { search } for pid=2870 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.316:16): avc: denied { search } for pid=2874 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir audit(1182243308.316:17): avc: denied { search } for pid=2874 comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir [root@xen ~]# dmesg | audit2allow #============= udev_t ============== allow udev_t xend_var_log_t:dir search; [root@xen ~]# rpm -q selinux-policy-targeted selinux-policy-targeted-2.6.4-17.fc7
Try again Fixed in selinux-policy-2.6.4-18
rpm -q selinux-policy selinux-policy-2.6.4-21.fc7 Got the following errors: Summary SELinux is preventing /sbin/losetup (udev_t) "write" to winxp2 (xen_image_t). Detailed Description SELinux denied access requested by /sbin/losetup. It is not expected that this access is required by /sbin/losetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for winxp2, restorecon -v winxp2 If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Context system_u:object_r:xen_image_t Target Objects winxp2 [ file ] Affected RPM Packages util-linux-2.13-0.51.fc7 [application] Policy RPM selinux-policy-2.6.4-21.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name xx Platform Linux xx 2.6.20-2925.11.fc7xen #1 SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64 Alert Count 8 First Seen Mon 25 Jun 2007 01:48:51 PM MDT Last Seen Tue 26 Jun 2007 07:40:19 AM MDT Local ID 33d14a58-f07e-4ab7-9369-ebb3e82f96e5 Line Numbers Raw Audit Messages avc: denied { write } for comm="losetup" dev=dm-0 egid=0 euid=0 exe="/sbin/losetup" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="winxp2" pid=4750 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:xen_image_t:s0 tty=(none) uid=0 Summary SELinux is preventing /usr/sbin/brctl (udev_t) "sys_module" to <Unknown> (udev_t). Detailed Description SELinux denied access requested by /usr/sbin/brctl. It is not expected that this access is required by /usr/sbin/brctl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Objects None [ capability ] Affected RPM Packages bridge-utils-1.1-2 [application] Policy RPM selinux-policy-2.6.4-21.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name xxx Platform Linux xxx 2.6.20-2925.11.fc7xen #1 SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64 Alert Count 24 First Seen Mon 25 Jun 2007 01:13:19 PM MDT Last Seen Tue 26 Jun 2007 07:40:19 AM MDT Local ID 97da150d-9cd6-4e8b-a842-7477eb86179e Line Numbers Raw Audit Messages avc: denied { sys_module } for comm="brctl" egid=0 euid=0 exe="/usr/sbin/brctl" exit=-19 fsgid=0 fsuid=0 gid=0 items=0 pid=4801 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
Ok adding fstools_domtrans(udev_t) will allow udev to transition to the fstools domain and should allow this. fixed in selinux-policy-2.6.4-24
[root@xen images]# rpm -q selinux-policy-targeted selinux-policy-targeted-2.6.4-25.fc7 [root@xen images]# dmesg | grep avc audit(1183568070.371:141): avc: denied { sys_module } for pid=11335 comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability audit(1183568070.371:142): avc: denied { sys_module } for pid=11335 comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability audit(1183568125.917:143): avc: denied { getattr } for pid=11526 comm="readlink" name="virtinst-boot.iso.ml2Pro" dev=sda3 ino=61505839 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=root:object_r:xend_var_lib_t:s0 tclass=file audit(1183568126.013:145): avc: denied { append } for pid=11614 comm="losetup" name="xen-hotplug.log" dev=sda3 ino=61505923 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file audit(1183568126.021:146): avc: denied { read write } for pid=11614 comm="losetup" name="gw" dev=sda3 ino=61505898 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=root:object_r:xen_image_t:s0 tclass=file audit(1183568126.517:150): avc: denied { sys_module } for pid=11697 comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability audit(1183568126.517:151): avc: denied { sys_module } for pid=11697 comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability audit(1183568220.997:152): avc: denied { append } for pid=12939 comm="losetup" name="xen-hotplug.log" dev=sda3 ino=61505923 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file [root@xen images]# dmesg | grep avc | audit2allow #============= fsadm_t ============== allow fsadm_t xen_image_t:file { read write }; allow fsadm_t xend_var_log_t:file append; #============= udev_t ============== allow udev_t self:capability sys_module; allow udev_t xend_var_lib_t:file getattr;
I am seeing the same, when creating a domain (xm create /etc/xen/fc6_0) # rpm -q selinux-policy selinux-policy-2.6.4-25.fc7 # sealert -l 5f913024-7422-49dc-b9a0-02f09fb121ef Summary SELinux is preventing /usr/sbin/brctl (udev_t) "sys_module" to <Unknown> (udev_t). Detailed Description SELinux denied access requested by /usr/sbin/brctl. It is not expected that this access is required by /usr/sbin/brctl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Context system_u:system_r:udev_t:SystemLow-SystemHigh Target Objects None [ capability ] Affected RPM Packages bridge-utils-1.1-2 [application] Policy RPM selinux-policy-2.6.4-25.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.20-2925.11.fc7xen #1 SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64 Alert Count 4 First Seen Tue Jul 10 15:51:17 2007 Last Seen Tue Jul 10 15:58:38 2007 Local ID 5f913024-7422-49dc-b9a0-02f09fb121ef Line Numbers Raw Audit Messages avc: denied { sys_module } for comm="brctl" egid=0 euid=0 exe="/usr/sbin/brctl" exit=-19 fsgid=0 fsuid=0 gid=0 items=0 pid=5922 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
This is the command which fails: brctl addif eth0 vif7.0 (Note that in the wacky world of Xen, eth0 is a bridge). Strangely enough, both ioctls succeed: ioctl(4, SIOCGIFINDEX, {ifr_name="vif7.0", ifr_index=12}) = 0 ioctl(3, 0x89a2, 0x7fff8f703230) = 0 and the process exits normally (status 0), but an AVC is logged. So I guess -EPERM is being lost somewhere along the line.
*** This bug has been marked as a duplicate of 245274 ***