Bug 245274 - selinux prevents xen hotplug in Fedora 7.
selinux prevents xen hotplug in Fedora 7.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
: 243219 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-21 22:04 EDT by Adam Greenberg
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 13:07:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
setroubleshooter output. (2.33 KB, text/plain)
2007-06-21 22:04 EDT, Adam Greenberg
no flags Details
First new bug. (2.41 KB, text/plain)
2007-07-02 19:33 EDT, Adam Greenberg
no flags Details
Second new bug. (2.35 KB, text/plain)
2007-07-02 19:34 EDT, Adam Greenberg
no flags Details
Third new bug. (2.35 KB, text/plain)
2007-07-02 19:34 EDT, Adam Greenberg
no flags Details
Third new bug (corrected). (2.09 KB, text/plain)
2007-07-02 19:43 EDT, Adam Greenberg
no flags Details
Virtual machine manager wzard errors from 2.6.4-29.fc7 (6.13 KB, application/x-gzip)
2007-07-31 20:27 EDT, Adam Greenberg
no flags Details
Error after chcon and restorecon (2.15 KB, text/plain)
2007-07-31 21:25 EDT, Adam Greenberg
no flags Details

  None (edit)
Description Adam Greenberg 2007-06-21 22:04:28 EDT
Description of problem:
SELinux is preventing vif-bridge (udev_t) "create" to xen-hotplug.log
(xend_var_log_t).


Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-14.fc

How reproducible:
Try to create a fully virtualized machine that shares a fixed network interface.

Steps to Reproduce:
1.  Run the create new machine wizard.
2.  Select fully virtualized, simple file, and shared network interface.
3.  Attempt to create the virtual machine.
  
Actual results:
Unable to complete install: 'virDomainCreateLinux() failed POST operation
failed: (xend.err 'Device 0 (vif) could not be connected. Hotplug scripts not
working.')'

Expected results:
New virtual machine.

Additional info:
Comment 1 Adam Greenberg 2007-06-21 22:04:29 EDT
Created attachment 157591 [details]
setroubleshooter output.
Comment 2 Daniel Walsh 2007-06-22 09:15:04 EDT
Fixed in selinux-policy-2.6.4-21.fc7
Comment 3 Adam Greenberg 2007-06-26 08:03:15 EDT
Thanks for the quick fix.  When will this package become available?
Comment 4 Daniel Walsh 2007-06-27 08:01:54 EDT
Should be available in fedora-testing right now,   In stable in a couple of days.
Comment 5 Adam Greenberg 2007-07-02 19:33:43 EDT
Created attachment 158389 [details]
First new bug.
Comment 6 Adam Greenberg 2007-07-02 19:34:16 EDT
Created attachment 158390 [details]
Second new bug.
Comment 7 Adam Greenberg 2007-07-02 19:34:32 EDT
Created attachment 158391 [details]
Third new bug.
Comment 8 Adam Greenberg 2007-07-02 19:35:45 EDT
I installed the new package and tried the same action.  It incurred three new
errors.  Please see the attachments.
Comment 9 Adam Greenberg 2007-07-02 19:43:17 EDT
Created attachment 158392 [details]
Third new bug (corrected).
Comment 10 Adam Greenberg 2007-07-02 19:45:13 EDT
I inadvertently save the same bug attachment twice.  Attachment 5 [details] contains the
third new bug.  My apologies.
Comment 11 Daniel Walsh 2007-07-11 13:11:47 EDT
This attachment has nothing to do with this bug.
Comment 12 Daniel Walsh 2007-07-11 13:21:56 EDT
*** Bug 243219 has been marked as a duplicate of this bug. ***
Comment 13 Anssi Johansson 2007-07-18 22:12:55 EDT
Hm, still problems accessing xen-hotplug.log (and other errors)..

bridge-utils-1.1-2
kernel-xen-2.6.20-2925.13.fc7
selinux-policy-targeted-2.6.4-28.fc7
selinux-policy-2.6.4-28.fc7

--- 

Jul 19 03:29:31 xen kernel: audit(1184804971.110:5): avc:  denied  { append }
for  pid=3031 comm="brctl" name="xen-hotplug.log" dev=sda3 ino=61505923
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=file
Jul 19 03:29:31 xen kernel: audit(1184804971.110:6): avc:  denied  { search }
for  pid=3031 comm="brctl" name="/" dev=sysfs ino=1
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Jul 19 03:29:31 xen kernel: audit(1184804971.110:7): avc:  denied  { search }
for  pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Jul 19 03:29:31 xen kernel: audit(1184804971.114:8): avc:  denied  { search }
for  pid=3031 comm="brctl" name="vif1.0" dev=sysfs ino=11195
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

[root@xen tmp]# grep avc messages | audit2allow

#============= brctl_t ==============
allow brctl_t sysfs_t:dir search;
allow brctl_t xend_var_log_t:file append;
Comment 14 Daniel Walsh 2007-07-19 09:04:21 EDT
Fixed in selinux-policy-2.6.4-29.fc7
Comment 15 Adam Greenberg 2007-07-20 18:27:54 EDT
When will this become available via the normal update mechanism?
Comment 16 Daniel Walsh 2007-07-23 09:37:43 EDT
It will be in testing today.
Comment 17 Anssi Johansson 2007-07-27 22:26:44 EDT
The newly released selinux-policy-targeted-2.6.4-29.fc7 gives me this:

[root@xen ~]# dmesg | grep avc
audit(1185588788.277:4): avc:  denied  { getattr } for  pid=2302 comm="brctl"
name="forward_delay" dev=sysfs ino=8172 scontext=system_u:system_r:brctl_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

[root@xen ~]# dmesg | grep avc | audit2allow

#============= brctl_t ==============
allow brctl_t sysfs_t:file getattr;
Comment 18 Daniel Walsh 2007-07-30 09:36:50 EDT
Fixed in selinux-policy-2.6.4-30.fc7
Comment 19 Adam Greenberg 2007-07-31 20:27:23 EDT
Created attachment 160383 [details]
Virtual machine manager wzard errors from 2.6.4-29.fc7

These ne errors occurred when I tried the virtual machine creation wizard with
the 29 version of the policy.
Comment 20 Adam Greenberg 2007-07-31 21:25:20 EDT
Created attachment 160385 [details]
Error after chcon and restorecon

After following the suggested chcon and restorecon instructions from the
previous errors, I get the error indicated in this attachment.	I see no way
beyond this.
Comment 21 Anssi Johansson 2007-08-01 05:49:02 EDT
Good news and bad news .. No more SELinux errors with -30, but creating the
guest still doesn't work, it stops at "Write protecting the kernel read-only
data" :-/ But it's apparently not a SELinux issue, so I'll focus on other
possibilities to fix the problem. Thanks for fixing these, though.
Comment 22 Daniel Walsh 2007-09-12 13:07:55 EDT
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.