Bug 388401 - selinux prevents xen to start images
Summary: selinux prevents xen to start images
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Xen Maintainance List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-17 15:52 UTC by Stefan Vogel
Modified: 2008-01-30 19:20 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:20:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Stefan Vogel 2007-11-17 15:52:49 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.9) Gecko/20071105 Fedora/2.0.0.9-1.fc8 Firefox/2.0.0.9

Description of problem:
When I try to start a paravirtualized xen image via the "Virtual Maschine Monitor" this fails with a selinux error.

Selinux and Xen comes OOTB.

It is possible to finish my Installation either for Images that are "Normal Disk Partitions" or "Simple Files" (located under /var/lib/xen/images/).


But when I try to restart the fresh image after installation I get the same selinux error.

SELinux is preventing python (xend_t) "create" to (xend_var_run_t).
avc: denied { create } for comm=python egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=boot pid=26098 scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:xend_var_run_t:s0 tty=(none) uid=0

THX
  Stefan


Version-Release number of selected component (if applicable):
xen-3.1.0-13.fc8 kernel-xen-2.6.21-2950.fc8

How reproducible:
Always


Steps to Reproduce:
1. Install Xen, setrouble shooter 
2. Create a paravirtualized xen image with a shared physical network device
3. Start the image



Actual Results:
Getting an Selinux error

SELinux is preventing python (xend_t) "create" to (xend_var_run_t).

avc: denied { create } for comm=python egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=boot pid=26098 scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:xend_var_run_t:s0 tty=(none) uid=0


Expected Results:
NO SELinux Error while the image is starting

Additional info:

Comment 1 Stefan Vogel 2007-11-17 16:02:25 UTC
The complete SELinux Error Report:

Source Context:  system_u:system_r:xend_t:s0
Target Context:  system_u:object_r:xend_var_run_t:s0
Target Objects:  None [ dir ]
Affected RPM Packages:  
Policy RPM:  selinux-policy-3.0.8-53.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  xxxx.xxxxxx.xxx
Platform:  Linux XXXXXXXX 2.6.21-2950.fc8xen #1 SMP Tue Oct 23 12:24:34 EDT 2007
i686 athlon
Alert Count:  4
First Seen:  Sat 17 Nov 2007 04:43:20 PM CET
Last Seen:  Sat 17 Nov 2007 04:54:51 PM CET
Local ID:  9ce0ec6b-1608-4c8a-975a-d4fde6729269
Line Numbers:  
Raw Audit Messages :

avc: denied { create } for comm=python egid=0 euid=0 exe=/usr/bin/python
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=boot pid=30199
scontext=system_u:system_r:xend_t:s0 sgid=0 subj=system_u:system_r:xend_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:xend_var_run_t:s0 tty=(none) uid=0 

Comment 2 Stefan Vogel 2007-11-26 07:07:23 UTC
MMM 

Maybe this is more selinux related so moved it to 
selinux.

Stefan

Comment 3 Daniel Walsh 2007-11-26 14:56:53 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-62.fc8

Comment 4 Daniel Walsh 2008-01-30 19:20:52 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.