Bug 450723 - xenner doesn't work in enforcing mode
xenner doesn't work in enforcing mode
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: 464158 478301 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2008-06-10 13:16 EDT by Bill Nottingham
Modified: 2009-07-08 17:42 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-08 17:42:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit log (100.10 KB, text/plain)
2008-06-23 11:19 EDT, Bill Nottingham
no flags Details

  None (edit)
Description Bill Nottingham 2008-06-10 13:16:10 EDT
Description of problem:

type=AVC msg=audit(1213117922.549:1172): avc:  denied  { mounton } for 
pid=32679 comm="mount" path="/var/run/xenner" dev=sda2 ino=5552229
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir

type=AVC msg=audit(1213117922.573:1173): avc:  denied  { write } for  pid=32686
comm="xenstored" name="log" dev=sda2 ino=5551491
tcontext=system_u:object_r:var_log_t:s0 tclass=dir

type=AVC msg=audit(1213117922.589:1174): avc:  denied  { write } for  pid=32688
comm="xenstored" name="evtchnd" dev=sda2 ino=5551658
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1213117922.590:1175): avc:  denied  { create } for  pid=32688
comm="xenstored" scontext=unconfined_u:system_r:xenstored_t:s0
tcontext=unconfined_u:system_r:xenstored_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):


How reproducible:

Every time

Steps to Reproduce:
1. install xenner
2. run /etc/init.d/xenner start
Comment 1 Bill Nottingham 2008-06-16 00:49:15 EDT
This module allows it to work:
module xenner 1.0;

require {
	type xenconsoled_t;
	type var_run_t;
	type fs_t;
	type virt_var_run_t;
	type kvm_device_t;
	type var_log_t;
	type initrc_t;
	type xend_var_run_t;
	type virtd_t;
	type xenstored_t;
	type tmp_t;
	type port_t;
	type anon_inodefs_t;
	type tmpfs_t;
	type mount_t;
	class process setrlimit;
	class unix_stream_socket connectto;
	class chr_file { read write ioctl };
	class capability sys_resource;
	class tcp_socket { name_connect setopt create connect };
	class file { read create ioctl write getattr unlink append };
	class filesystem getattr;
	class sock_file write;
	class dir { write search read remove_name mounton getattr add_name };

#============= mount_t ==============
allow mount_t var_run_t:dir mounton;

#============= virtd_t ==============
allow virtd_t anon_inodefs_t:file { read write ioctl };
allow virtd_t fs_t:filesystem getattr;
allow virtd_t initrc_t:unix_stream_socket connectto;
allow virtd_t kvm_device_t:chr_file { read write ioctl };
allow virtd_t port_t:tcp_socket name_connect;
allow virtd_t self:capability sys_resource;
allow virtd_t self:process setrlimit;
allow virtd_t tmp_t:dir { write remove_name add_name };
allow virtd_t tmp_t:file { read write create unlink };
allow virtd_t tmpfs_t:dir { write remove_name add_name };
allow virtd_t tmpfs_t:file { create unlink };
allow virtd_t var_run_t:sock_file write;
allow virtd_t xend_var_run_t:dir { write remove_name add_name };
allow virtd_t xend_var_run_t:file { read write create unlink };

#============= xenconsoled_t ==============
allow xenconsoled_t initrc_t:unix_stream_socket connectto;
allow xenconsoled_t self:tcp_socket { create setopt connect };
allow xenconsoled_t tmpfs_t:dir { read search getattr };
allow xenconsoled_t tmpfs_t:file { read write getattr };
allow xenconsoled_t var_run_t:sock_file write;
allow xenconsoled_t virt_var_run_t:file { read write getattr };

#============= xenstored_t ==============
allow xenstored_t initrc_t:unix_stream_socket connectto;
allow xenstored_t self:tcp_socket { create setopt connect };
allow xenstored_t tmp_t:dir { write remove_name search add_name };
allow xenstored_t tmp_t:file { read write create unlink };
allow xenstored_t tmpfs_t:dir search;
allow xenstored_t tmpfs_t:file { read write };
allow xenstored_t var_log_t:dir { write add_name };
allow xenstored_t var_log_t:file { create append };
allow xenstored_t var_run_t:file { read write };
allow xenstored_t var_run_t:sock_file write;
allow xenstored_t virt_var_run_t:file { read write };

I have not audited it for correctness.
Comment 2 Daniel Walsh 2008-06-22 08:54:03 EDT
God I hat xen.

Bill can you attach the audit.log you used to generate this policy.

Comment 3 Bill Nottingham 2008-06-23 11:19:12 EDT
Created attachment 310036 [details]
audit log

Here's the audit log with some known noise (tmpwatch, etc.) taken out. I
suspect there's some more noise still in it.
Comment 4 Daniel Walsh 2008-06-24 06:47:49 EDT
So it seems that xenner is similar to what I am currently labeling as a qemu, 
Ie a vertual instance of a running Operating System.

If you labeled xenner as qemu_exec_t you would get most of the privs.

I need to create a virtd_instance under virtd to describe the access and then
let xenner and qemu inherit from it.
Comment 5 Gerd Hoffmann 2008-06-24 07:42:59 EDT
Sounds reasonable.  xenner runs xen guests using kvm, so from a selinux point of
view it probably looks much the same (I'm not a selinux expert though ...).

xenner also uses some xen binaries such as xenstored, which should have selinux
coverage too.

xenner uses a tmpfs mount (/var/run/xenner), it puts files there as backing
store for the vm memory.  This is something which neither qemu nor xen do, thus
I'd expect some new rules are needed to cover that.

Hope this helps,
Comment 6 Daniel Walsh 2008-07-02 14:51:27 EDT
Do you have a xen image around I could play with to write policy for this domain.
Comment 7 Gerd Hoffmann 2008-07-03 03:45:15 EDT
For a quick bootup test you don't need an image, you can grab xen kernel and
initrd from any fedora install dvd (images/xen/), then run "xenner -kernel
vmlinuz -initrd initrd.img -vnc".  Connecting with a vnc viewer to
display :0 should show then the first stage install screen (probably complaining
it couldn't find a disk).

Note: avoid xen-runtime-3.2.0-12.fc9, vnc is broken with that one.  Either -10
or something newer should work ok.
Comment 8 Bill Nottingham 2008-07-03 11:00:04 EDT
I don't have any small xen images at the moment. I could try and find a place to
put a 1GB .bz2 file, but that may be a bit excessive.
Comment 9 Gerd Hoffmann 2008-09-29 05:45:41 EDT
*** Bug 464158 has been marked as a duplicate of this bug. ***
Comment 10 Gerd Hoffmann 2009-01-05 06:15:12 EST
*** Bug 478301 has been marked as a duplicate of this bug. ***
Comment 11 Bug Zapper 2009-06-09 21:31:39 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 12 Miroslav Grepl 2009-07-08 17:42:58 EDT
Should be fixed in current F9, F10, F11 policy. So I am closing it.

Note You need to log in before you can comment on or make changes to this bug.