Description of problem: Using virt-install to create Xen guests on vanilla F7 + latest updates fails. Various scripts (vif-bridge, block, xen-hotplug-cleanup) under udev attempt to do the following: 1) Create a log file: /var/log/xen/xen-hotplug.log Missing: allow udev_t xend_var_log_t:file create Create /var/log/xen/xen-hotplug.log by hand, retry... 2) mkdir: cannot create directory `/var/run/xen-hotplug': Permission denied Missing: allow udev_t udev_var_run_t:dir create (Noticed that /usr/bin/brctl was failing. Missing: allow udev_t self:capability sys_module;) Mkdir /var/run/xen-hotplug by hand, retry... 3) Install dies with the 'block' script under udev trying to mkdir /var/run/xen-hotplug/block So it appears the following access needs to be granted: audit2allow < /var/log/audit/audit.log #============= udev_t ============== allow udev_t self:capability sys_module; allow udev_t udev_var_run_t:dir create; allow udev_t xend_var_log_t:file create; Version-Release number of selected component (if applicable): 2.6.4-14 How reproducible: Always. See above for how.
I have added the ability to create xen_var_log_t. Allowing udev to load system modules is a bad idea. (If I can install a system module, I can probably take over the machine.) The other fixes will be in selinux-policy-2.6.4-17
Closing as fixes are in the current release