Description of problem: SELinux is preventing vif-bridge (udev_t) "create" to xen-hotplug.log (xend_var_log_t). Version-Release number of selected component (if applicable): selinux-policy-2.6.4-14.fc How reproducible: Try to create a fully virtualized machine that shares a fixed network interface. Steps to Reproduce: 1. Run the create new machine wizard. 2. Select fully virtualized, simple file, and shared network interface. 3. Attempt to create the virtual machine. Actual results: Unable to complete install: 'virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not working.')' Expected results: New virtual machine. Additional info:
Created attachment 157591 [details] setroubleshooter output.
Fixed in selinux-policy-2.6.4-21.fc7
Thanks for the quick fix. When will this package become available?
Should be available in fedora-testing right now, In stable in a couple of days.
Created attachment 158389 [details] First new bug.
Created attachment 158390 [details] Second new bug.
Created attachment 158391 [details] Third new bug.
I installed the new package and tried the same action. It incurred three new errors. Please see the attachments.
Created attachment 158392 [details] Third new bug (corrected).
I inadvertently save the same bug attachment twice. Attachment 5 [details] contains the third new bug. My apologies.
This attachment has nothing to do with this bug.
*** Bug 243219 has been marked as a duplicate of this bug. ***
Hm, still problems accessing xen-hotplug.log (and other errors).. bridge-utils-1.1-2 kernel-xen-2.6.20-2925.13.fc7 selinux-policy-targeted-2.6.4-28.fc7 selinux-policy-2.6.4-28.fc7 --- Jul 19 03:29:31 xen kernel: audit(1184804971.110:5): avc: denied { append } for pid=3031 comm="brctl" name="xen-hotplug.log" dev=sda3 ino=61505923 scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file Jul 19 03:29:31 xen kernel: audit(1184804971.110:6): avc: denied { search } for pid=3031 comm="brctl" name="/" dev=sysfs ino=1 scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir Jul 19 03:29:31 xen kernel: audit(1184804971.110:7): avc: denied { search } for pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195 scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir Jul 19 03:29:31 xen kernel: audit(1184804971.114:8): avc: denied { search } for pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195 scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir [root@xen tmp]# grep avc messages | audit2allow #============= brctl_t ============== allow brctl_t sysfs_t:dir search; allow brctl_t xend_var_log_t:file append;
Fixed in selinux-policy-2.6.4-29.fc7
When will this become available via the normal update mechanism?
It will be in testing today.
The newly released selinux-policy-targeted-2.6.4-29.fc7 gives me this: [root@xen ~]# dmesg | grep avc audit(1185588788.277:4): avc: denied { getattr } for pid=2302 comm="brctl" name="forward_delay" dev=sysfs ino=8172 scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file [root@xen ~]# dmesg | grep avc | audit2allow #============= brctl_t ============== allow brctl_t sysfs_t:file getattr;
Fixed in selinux-policy-2.6.4-30.fc7
Created attachment 160383 [details] Virtual machine manager wzard errors from 2.6.4-29.fc7 These ne errors occurred when I tried the virtual machine creation wizard with the 29 version of the policy.
Created attachment 160385 [details] Error after chcon and restorecon After following the suggested chcon and restorecon instructions from the previous errors, I get the error indicated in this attachment. I see no way beyond this.
Good news and bad news .. No more SELinux errors with -30, but creating the guest still doesn't work, it stops at "Write protecting the kernel read-only data" :-/ But it's apparently not a SELinux issue, so I'll focus on other possibilities to fix the problem. Thanks for fixing these, though.
Moving modified bugs to closed