Bug 244199 - xen guest doesn't start because of SELinux denials
Summary: xen guest doesn't start because of SELinux denials
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: xen   
(Show other bugs)
Version: 7
Hardware: x86_64 Linux
low
low
Target Milestone: ---
Assignee: Xen Maintainance List
QA Contact:
URL:
Whiteboard:
Keywords: SELinux
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-14 14:13 UTC by Matěj Cepl
Modified: 2018-04-11 17:28 UTC (History)
3 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-18 12:08:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (2.61 MB, text/plain)
2007-06-14 14:13 UTC, Matěj Cepl
no flags Details

Description Matěj Cepl 2007-06-14 14:13:47 UTC
Description of problem:
when starting SELinux guest (RHEL4, previously installed when host was FC6), it
ends with no error warning whatsoever. When switched SELinux to permissive mode
xm was working again. /var/audit/audit.log is attached

Version-Release number of selected component (if applicable):
xen-3.1.0-0.rc7.1.fc7
selinux-policy-targeted-2.6.4-13.fc7

How reproducible:
100%

Steps to Reproduce:
1. run xm create rhel4
2. vncviewer localhost
3.
  
Actual results:
no response, vncviewer fails

Expected results:
xm guest running and vncviewer displaying booting Xen guest

Additional info:

Comment 1 Matěj Cepl 2007-06-14 14:13:48 UTC
Created attachment 157001 [details]
audit.log

Comment 2 Daniel Walsh 2007-06-14 14:18:47 UTC
This looks like you might have a labeling problem in /var/run

restorecon -R -v /var/run



Comment 3 Matěj Cepl 2007-06-14 15:00:58 UTC
For the record I did .autorelabel thing after upgrading to FC7, but when I run
restorecon I got this:

sh-3.2# restorecon -R -v /var/run
restorecon reset /var/run/rpcbind.lock context
system_u:object_r:initrc_var_run_t:s0->system_u:object_r:var_run_t:s0
sh-3.2# restorecon -R -v /var/run
sh-3.2# 

However, immediately I get another AVC denial

(at least this one, I am not sure, where did restorecon happen in terms of
/var/log/audit/audit.log file):

avc: denied { write } for comm="ifup-eth" dev=dm-1 egid=0 euid=0 exe="/bin/bash"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="dhclient-eth0.conf" pid=3381
scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0
suid=0 tclass=file tcontext=user_u:object_r:etc_t:s0 tty=(none) uid=0 

OK, both of these as well:

avc: denied { create } for comm="mkdir" egid=0 euid=0 exe="/bin/mkdir" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9308
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 

and 

avc: denied { rmdir } for comm="rm" dev=dm-1 egid=0 euid=0 exe="/bin/rm" exit=0
fsgid=0 fsuid=0 gid=0 items=0 name="block" pid=9400
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:var_run_t:s0 tty=(none) uid=0 

Comment 4 Daniel Walsh 2007-06-14 15:48:37 UTC
Fixed in selinux-policy-2.6.4-16

Comment 5 Matěj Cepl 2007-09-18 05:39:59 UTC
Yes, it is.


Note You need to log in before you can comment on or make changes to this bug.