Bug 243219 - selinux won't allow launching of existing or creation of new xen hosts in Fedora 7
selinux won't allow launching of existing or creation of new xen hosts in Fed...
Status: CLOSED DUPLICATE of bug 245274
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-07 19:21 EDT by Phil Hale
Modified: 2007-11-30 17:12 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-11 13:21:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
xend log (50.64 KB, text/plain)
2007-06-07 19:21 EDT, Phil Hale
no flags Details
audit log (35.71 KB, text/plain)
2007-06-07 19:21 EDT, Phil Hale
no flags Details

  None (edit)
Description Phil Hale 2007-06-07 19:21:03 EDT
Description of problem:
I've recently upgraded to Fedora 7 from Fedora Core 6.  I'm trying to launch one
of my Xen Guests using xm create GuestOS and I'm getting the following errors:

SELinux is preventing xen-hotplug-cle (udev_t) "write" to xen (xend_var_log_t).

and
SELinux is preventing xen-hotplug-cle (udev_t) "add_name" to xen-hotplug.log
(xend_var_log_t).

I can't launch my guests!  I've got the guest disk images in /var/lib/xen/images
and the xen config files in /etc/xen just like they were in Fedora Core 6.  I've
also tried to create a new Xen guest, but get the same errors.


Version-Release number of selected component (if applicable):

xen - xen-3.1.0-0.rc7.1.fc7

How reproducible:
every time.


Steps to Reproduce:
1. xm create Guest
2. the xm command returns the following error:
 Error: Device 0 (vif) could not be connected. Hotplug scripts not working.
3.
  
Actual results:

Error: Device 0 (vif) could not be connected. Hotplug scripts not working.

Expected results:

Xen Guest OS should start.

Additional info:
Comment 1 Phil Hale 2007-06-07 19:21:04 EDT
Created attachment 156526 [details]
xend log
Comment 2 Phil Hale 2007-06-07 19:21:46 EDT
Created attachment 156527 [details]
audit log
Comment 3 Karl MacMillan 2007-06-08 10:31:44 EDT
Looks like a policy bug to me - assigned to selinux policy.
Comment 4 Anssi Johansson 2007-06-15 16:57:39 EDT
I hope this information helps someone.. I'm trying to run Xen with a slightly
newer xen and selinux policy (from fedora-updates-testing) and my error messages
are slightly different when I try to create a new guest:

'Device 0 (vif) could not be connected. Hotplug scripts not working.'

audit(1181937852.205:5): avc:  denied  { create } for  pid=2808 comm="blktap"
name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937852.241:6): avc:  denied  { create } for  pid=2821
comm="vif-bridge" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.474:7): avc:  denied  { create } for  pid=2853
comm="vif-bridge" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.534:8): avc:  denied  { create } for  pid=2862 comm="blktap"
name="xen-hotplug.log" scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.578:9): avc:  denied  { create } for  pid=2879
comm="xen-hotplug-cle" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1181937952.638:10): avc:  denied  { create } for  pid=2883
comm="xen-hotplug-cle" name="xen-hotplug.log"
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file

[root@xen images]# dmesg | audit2allow

#============= udev_t ==============
allow udev_t xend_var_log_t:file create;

---

The relevant installed packages:
kernel-xen-2.6.20-2925.11.fc7
xen-3.1.0-2.fc7
selinux-policy-targeted-2.6.4-14.fc7
Comment 5 Daniel Walsh 2007-06-18 10:11:51 EDT
Fixed in selinux-policy-2.6.4-17
Comment 6 Anssi Johansson 2007-06-19 06:32:33 EDT
Tested with selinux-policy-2.6.4-17, still no go..

[root@xen ~]# virt-install
Would you like a fully virtualized guest (yes or no)?  This will allow you to
run unmodified operating systems. no
 What is the name of your virtual machine? gw
 How much RAM should be allocated (in megabytes)? 384
 What would you like to use as the disk (path)? /var/lib/xen/images/gw
 Would you like to enable graphics support? (yes or no) no
 What is the install location? ftp://192.168.0.160/documents/fc7/x86_64/os/


Starting install...
libvir: Xen Daemon error : GET operation failed:
Retrieving Fedora...                                            192 kB 00:00
Retrieving vmlinuz...     100% |=========================| 1.8 MB    00:00
Retrieving initrd.img...  100% |=========================| 5.4 MB    00:01
libvir: Xen Daemon error : GET operation failed:
libvir: Xen Daemon error : POST operation failed: (xend.err 'Device 0 (vif)
could not be connected. Hotplug scripts not working.')
Traceback (most recent call last):
  File "/usr/sbin/virt-install", line 629, in <module>
    main()
  File "/usr/sbin/virt-install", line 578, in main
    dom = guest.start_install(conscb,progresscb)
  File "/usr/lib/python2.5/site-packages/virtinst/Guest.py", line 649, in
start_install
    return self._do_install(consolecb, meter)
  File "/usr/lib/python2.5/site-packages/virtinst/Guest.py", line 666, in
_do_install
    self.domain = self.conn.createLinux(install_xml, 0)
  File "/usr/lib64/python2.5/site-packages/libvirt.py", line 503, in createLinux
    if ret is None:raise libvirtError('virDomainCreateLinux() failed', conn=self)
libvirt.libvirtError: virDomainCreateLinux() failed POST operation failed:
(xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.')


[root@xen ~]# dmesg
audit(1182243207.872:6): avc:  denied  { search } for  pid=2799 comm="blktap"
name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243207.872:7): avc:  denied  { search } for  pid=2799 comm="blktap"
name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243207.928:8): avc:  denied  { search } for  pid=2812
comm="vif-bridge" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243207.928:9): avc:  denied  { search } for  pid=2812
comm="vif-bridge" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.156:10): avc:  denied  { search } for  pid=2844
comm="vif-bridge" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.156:11): avc:  denied  { search } for  pid=2844
comm="vif-bridge" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.216:12): avc:  denied  { search } for  pid=2855 comm="blktap"
name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.216:13): avc:  denied  { search } for  pid=2855 comm="blktap"
name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.260:14): avc:  denied  { search } for  pid=2870
comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.260:15): avc:  denied  { search } for  pid=2870
comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.316:16): avc:  denied  { search } for  pid=2874
comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
audit(1182243308.316:17): avc:  denied  { search } for  pid=2874
comm="xen-hotplug-cle" name="xen" dev=sda3 ino=61505848
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir

[root@xen ~]# dmesg | audit2allow

#============= udev_t ==============
allow udev_t xend_var_log_t:dir search;

[root@xen ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-17.fc7
Comment 7 Daniel Walsh 2007-06-19 08:22:23 EDT
Try again Fixed in selinux-policy-2.6.4-18
Comment 8 Josh Cogliati 2007-06-26 09:53:41 EDT
rpm -q selinux-policy
selinux-policy-2.6.4-21.fc7

Got the following errors:

Summary
    SELinux is preventing /sbin/losetup (udev_t) "write" to winxp2
    (xen_image_t).

Detailed Description
    SELinux denied access requested by /sbin/losetup. It is not expected that
    this access is required by /sbin/losetup and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for winxp2, restorecon -v winxp2 If
    this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:object_r:xen_image_t
Target Objects                winxp2 [ file ]
Affected RPM Packages         util-linux-2.13-0.51.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-21.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     xx
Platform                      Linux xx 2.6.20-2925.11.fc7xen #1
                              SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64
Alert Count                   8
First Seen                    Mon 25 Jun 2007 01:48:51 PM MDT
Last Seen                     Tue 26 Jun 2007 07:40:19 AM MDT
Local ID                      33d14a58-f07e-4ab7-9369-ebb3e82f96e5
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="losetup" dev=dm-0 egid=0 euid=0
exe="/sbin/losetup" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="winxp2"
pid=4750 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:xen_image_t:s0 tty=(none) uid=0



Summary
    SELinux is preventing /usr/sbin/brctl (udev_t) "sys_module" to <Unknown>
    (udev_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/brctl. It is not expected that
    this access is required by /usr/sbin/brctl and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Objects                None [ capability ]
Affected RPM Packages         bridge-utils-1.1-2 [application]
Policy RPM                    selinux-policy-2.6.4-21.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     xxx
Platform                      Linux xxx 2.6.20-2925.11.fc7xen #1
                              SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64
Alert Count                   24
First Seen                    Mon 25 Jun 2007 01:13:19 PM MDT
Last Seen                     Tue 26 Jun 2007 07:40:19 AM MDT
Local ID                      97da150d-9cd6-4e8b-a842-7477eb86179e
Line Numbers                  

Raw Audit Messages            

avc: denied { sys_module } for comm="brctl" egid=0 euid=0 exe="/usr/sbin/brctl"
exit=-19 fsgid=0 fsuid=0 gid=0 items=0 pid=4801
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0

Comment 9 Daniel Walsh 2007-06-27 08:15:59 EDT
Ok adding fstools_domtrans(udev_t) will allow udev to transition to the fstools
domain and should allow this.

fixed in selinux-policy-2.6.4-24
Comment 10 Anssi Johansson 2007-07-04 12:59:48 EDT
[root@xen images]# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.6.4-25.fc7

[root@xen images]# dmesg | grep avc
audit(1183568070.371:141): avc:  denied  { sys_module } for  pid=11335
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568070.371:142): avc:  denied  { sys_module } for  pid=11335
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568125.917:143): avc:  denied  { getattr } for  pid=11526
comm="readlink" name="virtinst-boot.iso.ml2Pro" dev=sda3 ino=61505839
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=root:object_r:xend_var_lib_t:s0 tclass=file
audit(1183568126.013:145): avc:  denied  { append } for  pid=11614
comm="losetup" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
audit(1183568126.021:146): avc:  denied  { read write } for  pid=11614
comm="losetup" name="gw" dev=sda3 ino=61505898
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=root:object_r:xen_image_t:s0 tclass=file
audit(1183568126.517:150): avc:  denied  { sys_module } for  pid=11697
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568126.517:151): avc:  denied  { sys_module } for  pid=11697
comm="brctl" capability=16 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=capability
audit(1183568220.997:152): avc:  denied  { append } for  pid=12939
comm="losetup" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file

[root@xen images]# dmesg | grep avc | audit2allow

#============= fsadm_t ==============
allow fsadm_t xen_image_t:file { read write };
allow fsadm_t xend_var_log_t:file append;

#============= udev_t ==============
allow udev_t self:capability sys_module;
allow udev_t xend_var_lib_t:file getattr;
Comment 11 Richard W.M. Jones 2007-07-10 11:28:24 EDT
I am seeing the same, when creating a domain (xm create /etc/xen/fc6_0)

# rpm -q selinux-policy
selinux-policy-2.6.4-25.fc7

# sealert -l 5f913024-7422-49dc-b9a0-02f09fb121ef
Summary
    SELinux is preventing /usr/sbin/brctl (udev_t) "sys_module" to <Unknown>
    (udev_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/brctl. It is not expected that
    this access is required by /usr/sbin/brctl and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Objects                None [ capability ]
Affected RPM Packages         bridge-utils-1.1-2 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.20-2925.11.fc7xen
                              #1 SMP Mon Jun 11 16:18:59 EDT 2007 x86_64 x86_64
Alert Count                   4
First Seen                    Tue Jul 10 15:51:17 2007
Last Seen                     Tue Jul 10 15:58:38 2007
Local ID                      5f913024-7422-49dc-b9a0-02f09fb121ef
Line Numbers                  

Raw Audit Messages            

avc: denied { sys_module } for comm="brctl" egid=0 euid=0 exe="/usr/sbin/brctl"
exit=-19 fsgid=0 fsuid=0 gid=0 items=0 pid=5922
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=capability
tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tty=(none) uid=0
Comment 12 Richard W.M. Jones 2007-07-10 12:03:42 EDT
This is the command which fails:

  brctl addif eth0 vif7.0

(Note that in the wacky world of Xen, eth0 is a bridge).

Strangely enough, both ioctls succeed:

  ioctl(4, SIOCGIFINDEX, {ifr_name="vif7.0", ifr_index=12}) = 0
  ioctl(3, 0x89a2, 0x7fff8f703230) = 0

and the process exits normally (status 0), but an AVC is logged.
So I guess -EPERM is being lost somewhere along the line.
Comment 13 Daniel Walsh 2007-07-11 13:21:48 EDT

*** This bug has been marked as a duplicate of 245274 ***

Note You need to log in before you can comment on or make changes to this bug.