Description of problem: when starting SELinux guest (RHEL4, previously installed when host was FC6), it ends with no error warning whatsoever. When switched SELinux to permissive mode xm was working again. /var/audit/audit.log is attached Version-Release number of selected component (if applicable): xen-3.1.0-0.rc7.1.fc7 selinux-policy-targeted-2.6.4-13.fc7 How reproducible: 100% Steps to Reproduce: 1. run xm create rhel4 2. vncviewer localhost 3. Actual results: no response, vncviewer fails Expected results: xm guest running and vncviewer displaying booting Xen guest Additional info:
Created attachment 157001 [details] audit.log
This looks like you might have a labeling problem in /var/run restorecon -R -v /var/run
For the record I did .autorelabel thing after upgrading to FC7, but when I run restorecon I got this: sh-3.2# restorecon -R -v /var/run restorecon reset /var/run/rpcbind.lock context system_u:object_r:initrc_var_run_t:s0->system_u:object_r:var_run_t:s0 sh-3.2# restorecon -R -v /var/run sh-3.2# However, immediately I get another AVC denial (at least this one, I am not sure, where did restorecon happen in terms of /var/log/audit/audit.log file): avc: denied { write } for comm="ifup-eth" dev=dm-1 egid=0 euid=0 exe="/bin/bash" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth0.conf" pid=3381 scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0 suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 OK, both of these as well: avc: denied { create } for comm="mkdir" egid=0 euid=0 exe="/bin/mkdir" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9308 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 and avc: denied { rmdir } for comm="rm" dev=dm-1 egid=0 euid=0 exe="/bin/rm" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9400 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.6.4-16
Yes, it is.