Bug 245274 - selinux prevents xen hotplug in Fedora 7.
Summary: selinux prevents xen hotplug in Fedora 7.
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: All Linux
low
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
: 243219 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-22 02:04 UTC by Adam Greenberg
Modified: 2007-11-30 22:12 UTC (History)
3 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 17:07:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
setroubleshooter output. (2.33 KB, text/plain)
2007-06-22 02:04 UTC, Adam Greenberg
no flags Details
First new bug. (2.41 KB, text/plain)
2007-07-02 23:33 UTC, Adam Greenberg
no flags Details
Second new bug. (2.35 KB, text/plain)
2007-07-02 23:34 UTC, Adam Greenberg
no flags Details
Third new bug. (2.35 KB, text/plain)
2007-07-02 23:34 UTC, Adam Greenberg
no flags Details
Third new bug (corrected). (2.09 KB, text/plain)
2007-07-02 23:43 UTC, Adam Greenberg
no flags Details
Virtual machine manager wzard errors from 2.6.4-29.fc7 (6.13 KB, application/x-gzip)
2007-08-01 00:27 UTC, Adam Greenberg
no flags Details
Error after chcon and restorecon (2.15 KB, text/plain)
2007-08-01 01:25 UTC, Adam Greenberg
no flags Details

Description Adam Greenberg 2007-06-22 02:04:28 UTC
Description of problem:
SELinux is preventing vif-bridge (udev_t) "create" to xen-hotplug.log
(xend_var_log_t).


Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-14.fc

How reproducible:
Try to create a fully virtualized machine that shares a fixed network interface.

Steps to Reproduce:
1.  Run the create new machine wizard.
2.  Select fully virtualized, simple file, and shared network interface.
3.  Attempt to create the virtual machine.
  
Actual results:
Unable to complete install: 'virDomainCreateLinux() failed POST operation
failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not
working.')'

Expected results:
New virtual machine.

Additional info:

Comment 1 Adam Greenberg 2007-06-22 02:04:29 UTC
Created attachment 157591 [details]
setroubleshooter output.

Comment 2 Daniel Walsh 2007-06-22 13:15:04 UTC
Fixed in selinux-policy-2.6.4-21.fc7

Comment 3 Adam Greenberg 2007-06-26 12:03:15 UTC
Thanks for the quick fix.  When will this package become available?

Comment 4 Daniel Walsh 2007-06-27 12:01:54 UTC
Should be available in fedora-testing right now,   In stable in a couple of days.

Comment 5 Adam Greenberg 2007-07-02 23:33:43 UTC
Created attachment 158389 [details]
First new bug.

Comment 6 Adam Greenberg 2007-07-02 23:34:16 UTC
Created attachment 158390 [details]
Second new bug.

Comment 7 Adam Greenberg 2007-07-02 23:34:32 UTC
Created attachment 158391 [details]
Third new bug.

Comment 8 Adam Greenberg 2007-07-02 23:35:45 UTC
I installed the new package and tried the same action.  It incurred three new
errors.  Please see the attachments.

Comment 9 Adam Greenberg 2007-07-02 23:43:17 UTC
Created attachment 158392 [details]
Third new bug (corrected).

Comment 10 Adam Greenberg 2007-07-02 23:45:13 UTC
I inadvertently save the same bug attachment twice.  Attachment 5 [details] contains the
third new bug.  My apologies.

Comment 11 Daniel Walsh 2007-07-11 17:11:47 UTC
This attachment has nothing to do with this bug.

Comment 12 Daniel Walsh 2007-07-11 17:21:56 UTC
*** Bug 243219 has been marked as a duplicate of this bug. ***

Comment 13 Anssi Johansson 2007-07-19 02:12:55 UTC
Hm, still problems accessing xen-hotplug.log (and other errors)..

bridge-utils-1.1-2
kernel-xen-2.6.20-2925.13.fc7
selinux-policy-targeted-2.6.4-28.fc7
selinux-policy-2.6.4-28.fc7

--- 

Jul 19 03:29:31 xen kernel: audit(1184804971.110:5): avc:  denied  { append }
for  pid=3031 comm="brctl" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
Jul 19 03:29:31 xen kernel: audit(1184804971.110:6): avc:  denied  { search }
for  pid=3031 comm="brctl" name="/" dev=sysfs ino=1
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Jul 19 03:29:31 xen kernel: audit(1184804971.110:7): avc:  denied  { search }
for  pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Jul 19 03:29:31 xen kernel: audit(1184804971.114:8): avc:  denied  { search }
for  pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

[root@xen tmp]# grep avc messages | audit2allow

#============= brctl_t ==============
allow brctl_t sysfs_t:dir search;
allow brctl_t xend_var_log_t:file append;

Comment 14 Daniel Walsh 2007-07-19 13:04:21 UTC
Fixed in selinux-policy-2.6.4-29.fc7

Comment 15 Adam Greenberg 2007-07-20 22:27:54 UTC
When will this become available via the normal update mechanism?

Comment 16 Daniel Walsh 2007-07-23 13:37:43 UTC
It will be in testing today.

Comment 17 Anssi Johansson 2007-07-28 02:26:44 UTC
The newly released selinux-policy-targeted-2.6.4-29.fc7 gives me this:

[root@xen ~]# dmesg | grep avc
audit(1185588788.277:4): avc:  denied  { getattr } for  pid=2302 comm="brctl"
name="forward_delay" dev=sysfs ino=8172 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

[root@xen ~]# dmesg | grep avc | audit2allow

#============= brctl_t ==============
allow brctl_t sysfs_t:file getattr;

Comment 18 Daniel Walsh 2007-07-30 13:36:50 UTC
Fixed in selinux-policy-2.6.4-30.fc7

Comment 19 Adam Greenberg 2007-08-01 00:27:23 UTC
Created attachment 160383 [details]
Virtual machine manager wzard errors from 2.6.4-29.fc7

These ne errors occurred when I tried the virtual machine creation wizard with
the 29 version of the policy.

Comment 20 Adam Greenberg 2007-08-01 01:25:20 UTC
Created attachment 160385 [details]
Error after chcon and restorecon

After following the suggested chcon and restorecon instructions from the
previous errors, I get the error indicated in this attachment.	I see no way
beyond this.

Comment 21 Anssi Johansson 2007-08-01 09:49:02 UTC
Good news and bad news .. No more SELinux errors with -30, but creating the
guest still doesn't work, it stops at "Write protecting the kernel read-only
data" :-/ But it's apparently not a SELinux issue, so I'll focus on other
possibilities to fix the problem. Thanks for fixing these, though.

Comment 22 Daniel Walsh 2007-09-12 17:07:55 UTC
Moving modified bugs to closed



Note You need to log in before you can comment on or make changes to this bug.