Red Hat Bugzilla – Bug 244434
targeted missing policy for access of /var elements by udev for Xen
Last modified: 2007-11-30 17:12:07 EST
Description of problem:
Using virt-install to create Xen guests on vanilla F7 + latest updates fails.
Various scripts (vif-bridge, block, xen-hotplug-cleanup) under udev attempt to
do the following:
1) Create a log file: /var/log/xen/xen-hotplug.log
Missing: allow udev_t xend_var_log_t:file create
Create /var/log/xen/xen-hotplug.log by hand, retry...
2) mkdir: cannot create directory `/var/run/xen-hotplug': Permission denied
Missing: allow udev_t udev_var_run_t:dir create
(Noticed that /usr/bin/brctl was failing.
Missing: allow udev_t self:capability sys_module;)
Mkdir /var/run/xen-hotplug by hand, retry...
3) Install dies with the 'block' script under udev trying to mkdir
So it appears the following access needs to be granted:
audit2allow < /var/log/audit/audit.log
#============= udev_t ==============
allow udev_t self:capability sys_module;
allow udev_t udev_var_run_t:dir create;
allow udev_t xend_var_log_t:file create;
Version-Release number of selected component (if applicable): 2.6.4-14
How reproducible: Always. See above for how.
I have added the ability to create xen_var_log_t. Allowing udev to load system
modules is a bad idea. (If I can install a system module, I can probably take
over the machine.)
The other fixes will be in selinux-policy-2.6.4-17
Closing as fixes are in the current release