Description of problem: SELinux is preventing brctl (brctl_t) "read write" tun_tap_device_t. Version-Release number of selected component (if applicable): Source RPM Packages bridge-utils-1.2-7.fc11 Policy RPM selinux-policy-3.6.12-28.fc11 How reproducible: 4 times Steps to Reproduce: 1.start a xen domu vm that has a bridged device 2. 3. Actual results: avc Expected results: no avc Additional info: Summary: SELinux is preventing brctl (brctl_t) "read write" tun_tap_device_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by brctl. It is not expected that this access is required by brctl and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:brctl_t:s0 Target Context system_u:object_r:tun_tap_device_t:s0 Target Objects /dev/net/tun [ chr_file ] Source brctl Source Path /usr/sbin/brctl Port <Unknown> Host jerry-opti755 Source RPM Packages bridge-utils-1.2-7.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-28.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name jerry-opti755 Platform Linux jerry-opti755 2.6.30-0.1.2.25.rc4.git3.xendom0.fc12.x86_64 #1 SMP Thu May 7 13:59:41 EDT 2009 x86_64 x86_64 Alert Count 4 First Seen Tue 12 May 2009 09:37:46 AM CDT Last Seen Tue 12 May 2009 11:00:27 AM CDT Local ID 501a857a-8330-4c5f-a084-837c989a0e86 Line Numbers Raw Audit Messages node=jerry-opti755 type=AVC msg=audit(1242144027.752:46): avc: denied { read write } for pid=6041 comm="brctl" path="/dev/net/tun" dev=tmpfs ino=2719 scontext=system_u:system_r:brctl_t:s0 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file node=jerry-opti755 type=SYSCALL msg=audit(1242144027.752:46): arch=c000003e syscall=59 success=yes exit=0 a0=bb2d20 a1=bb3790 a2=bb3ef0 a3=28 items=0 ppid=6023 pid=6041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="brctl" exe="/usr/sbin/brctl" subj=system_u:system_r:brctl_t:s0 key=(null)
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.12-36.fc11.noarch
Created attachment 343664 [details] attaching mypol.te to note other avc's I had not yet reported. Confirmed fixed. Started vm. No avc.