244199 – xen guest doesn't start because of SELinux denials

Bug 244199 - xen guest doesn't start because of SELinux denials

Summary: xen guest doesn't start because of SELinux denials

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xen
Sub Component:
Version:	7
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Xen Maintainance List
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-06-14 14:13 UTC by Matěj Cepl
Modified:	2018-04-11 17:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-09-18 12:08:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audit.log (2.61 MB, text/plain) 2007-06-14 14:13 UTC, Matěj Cepl	no flags	Details
View All

Description Matěj Cepl 2007-06-14 14:13:47 UTC

Description of problem:
when starting SELinux guest (RHEL4, previously installed when host was FC6), it
ends with no error warning whatsoever. When switched SELinux to permissive mode
xm was working again. /var/audit/audit.log is attached

Version-Release number of selected component (if applicable):
xen-3.1.0-0.rc7.1.fc7
selinux-policy-targeted-2.6.4-13.fc7

How reproducible:
100%

Steps to Reproduce:
1. run xm create rhel4
2. vncviewer localhost
3.
  
Actual results:
no response, vncviewer fails

Expected results:
xm guest running and vncviewer displaying booting Xen guest

Additional info:

Comment 1 Matěj Cepl 2007-06-14 14:13:48 UTC

Created attachment 157001 [details]
audit.log

Comment 2 Daniel Walsh 2007-06-14 14:18:47 UTC

This looks like you might have a labeling problem in /var/run

restorecon -R -v /var/run

Comment 3 Matěj Cepl 2007-06-14 15:00:58 UTC

For the record I did .autorelabel thing after upgrading to FC7, but when I run
restorecon I got this:

sh-3.2# restorecon -R -v /var/run
restorecon reset /var/run/rpcbind.lock context
system_u:object_r:initrc_var_run_t:s0->system_u:object_r:var_run_t:s0
sh-3.2# restorecon -R -v /var/run
sh-3.2# 

However, immediately I get another AVC denial

(at least this one, I am not sure, where did restorecon happen in terms of
/var/log/audit/audit.log file):

avc: denied { write } for comm="ifup-eth" dev=dm-1 egid=0 euid=0 exe="/bin/bash"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth0.conf" pid=3381
scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0
suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

OK, both of these as well:

avc: denied { create } for comm="mkdir" egid=0 euid=0 exe="/bin/mkdir" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9308
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 

and 

avc: denied { rmdir } for comm="rm" dev=dm-1 egid=0 euid=0 exe="/bin/rm" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9400
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0

Comment 4 Daniel Walsh 2007-06-14 15:48:37 UTC

Fixed in selinux-policy-2.6.4-16

Comment 5 Matěj Cepl 2007-09-18 05:39:59 UTC

Yes, it is.

Note You need to log in before you can comment on or make changes to this bug.