Bug 244434 - targeted missing policy for access of /var elements by udev for Xen
targeted missing policy for access of /var elements by udev for Xen
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-06-15 12:55 EDT by Michael Carney
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-22 10:11:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michael Carney 2007-06-15 12:55:29 EDT
Description of problem:
Using virt-install to create Xen guests on vanilla F7 + latest updates fails.

Various scripts (vif-bridge, block, xen-hotplug-cleanup) under udev attempt to
do the following:
1) Create a log file: /var/log/xen/xen-hotplug.log
   Missing: allow udev_t xend_var_log_t:file create

Create /var/log/xen/xen-hotplug.log by hand, retry...

2) mkdir: cannot create directory `/var/run/xen-hotplug': Permission denied
  Missing: allow udev_t udev_var_run_t:dir create
(Noticed that /usr/bin/brctl was failing.
  Missing: allow udev_t self:capability sys_module;)

Mkdir /var/run/xen-hotplug by hand, retry...

3) Install dies with the 'block' script under udev trying to mkdir

So it appears the following access needs to be granted:
audit2allow < /var/log/audit/audit.log

#============= udev_t ==============
allow udev_t self:capability sys_module;
allow udev_t udev_var_run_t:dir create;
allow udev_t xend_var_log_t:file create;

Version-Release number of selected component (if applicable): 2.6.4-14

How reproducible: Always. See above for how.
Comment 1 Daniel Walsh 2007-06-18 10:42:42 EDT
I have added the ability to create xen_var_log_t.  Allowing udev to load system
modules is a bad idea.  (If I can install a system module, I can probably take
over the machine.)

The other fixes will be in selinux-policy-2.6.4-17
Comment 2 Daniel Walsh 2007-08-22 10:11:14 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.