Bug 388401 - selinux prevents xen to start images
selinux prevents xen to start images
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Xen Maintainance List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-17 10:52 EST by Stefan Vogel
Modified: 2008-01-30 14:20 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:20:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Vogel 2007-11-17 10:52:49 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.9) Gecko/20071105 Fedora/2.0.0.9-1.fc8 Firefox/2.0.0.9

Description of problem:
When I try to start a paravirtualized xen image via the "Virtual Maschine Monitor" this fails with a selinux error.

Selinux and Xen comes OOTB.

It is possible to finish my Installation either for Images that are "Normal Disk Partitions" or "Simple Files" (located under /var/lib/xen/images/).


But when I try to restart the fresh image after installation I get the same selinux error.

SELinux is preventing python (xend_t) "create" to (xend_var_run_t).
avc: denied { create } for comm=python egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=boot pid=26098 scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:xend_var_run_t:s0 tty=(none) uid=0

THX
  Stefan


Version-Release number of selected component (if applicable):
xen-3.1.0-13.fc8 kernel-xen-2.6.21-2950.fc8

How reproducible:
Always


Steps to Reproduce:
1. Install Xen, setrouble shooter 
2. Create a paravirtualized xen image with a shared physical network device
3. Start the image



Actual Results:
Getting an Selinux error

SELinux is preventing python (xend_t) "create" to (xend_var_run_t).

avc: denied { create } for comm=python egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=boot pid=26098 scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:xend_var_run_t:s0 tty=(none) uid=0


Expected Results:
NO SELinux Error while the image is starting

Additional info:
Comment 1 Stefan Vogel 2007-11-17 11:02:25 EST
The complete SELinux Error Report:

Source Context:  system_u:system_r:xend_t:s0
Target Context:  system_u:object_r:xend_var_run_t:s0
Target Objects:  None [ dir ]
Affected RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-53.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  xxxx.xxxxxx.xxx
Platform:  Linux XXXXXXXX 2.6.21-2950.fc8xen #1 SMP Tue Oct 23 12:24:34 EDT 2007
i686 athlon
Alert Count:  4
First Seen:  Sat 17 Nov 2007 04:43:20 PM CET
Last Seen:  Sat 17 Nov 2007 04:54:51 PM CET
Local ID:  9ce0ec6b-1608-4c8a-975a-d4fde6729269
Line Numbers:  
Raw Audit Messages :

avc: denied { create } for comm=python egid=0 euid=0 exe=/usr/bin/python
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=boot pid=30199
scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:xend_var_run_t:s0 tty=(none) uid=0 
Comment 2 Stefan Vogel 2007-11-26 02:07:23 EST
MMM 

Maybe this is more selinux related so moved it to 
selinux.

Stefan
Comment 3 Daniel Walsh 2007-11-26 09:56:53 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-62.fc8
Comment 4 Daniel Walsh 2008-01-30 14:20:52 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.