Bug 244199 - xen guest doesn't start because of SELinux denials
xen guest doesn't start because of SELinux denials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Xen Maintainance List
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-14 10:13 EDT by Matěj Cepl
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-18 08:08:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (2.61 MB, text/plain)
2007-06-14 10:13 EDT, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2007-06-14 10:13:47 EDT
Description of problem:
when starting SELinux guest (RHEL4, previously installed when host was FC6), it
ends with no error warning whatsoever. When switched SELinux to permissive mode
xm was working again. /var/audit/audit.log is attached

Version-Release number of selected component (if applicable):
xen-3.1.0-0.rc7.1.fc7
selinux-policy-targeted-2.6.4-13.fc7

How reproducible:
100%

Steps to Reproduce:
1. run xm create rhel4
2. vncviewer localhost
3.
  
Actual results:
no response, vncviewer fails

Expected results:
xm guest running and vncviewer displaying booting Xen guest

Additional info:
Comment 1 Matěj Cepl 2007-06-14 10:13:48 EDT
Created attachment 157001 [details]
audit.log
Comment 2 Daniel Walsh 2007-06-14 10:18:47 EDT
This looks like you might have a labeling problem in /var/run

restorecon -R -v /var/run

Comment 3 Matěj Cepl 2007-06-14 11:00:58 EDT
For the record I did .autorelabel thing after upgrading to FC7, but when I run
restorecon I got this:

sh-3.2# restorecon -R -v /var/run
restorecon reset /var/run/rpcbind.lock context
system_u:object_r:initrc_var_run_t:s0->system_u:object_r:var_run_t:s0
sh-3.2# restorecon -R -v /var/run
sh-3.2# 

However, immediately I get another AVC denial

(at least this one, I am not sure, where did restorecon happen in terms of
/var/log/audit/audit.log file):

avc: denied { write } for comm="ifup-eth" dev=dm-1 egid=0 euid=0 exe="/bin/bash"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth0.conf" pid=3381
scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0
suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

OK, both of these as well:

avc: denied { create } for comm="mkdir" egid=0 euid=0 exe="/bin/mkdir" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9308
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 

and 

avc: denied { rmdir } for comm="rm" dev=dm-1 egid=0 euid=0 exe="/bin/rm" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9400
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 
Comment 4 Daniel Walsh 2007-06-14 11:48:37 EDT
Fixed in selinux-policy-2.6.4-16
Comment 5 Matěj Cepl 2007-09-18 01:39:59 EDT
Yes, it is.

Note You need to log in before you can comment on or make changes to this bug.