Bug 554777 - Missing selinux rules/labels for /etc/xen (and possibly other places).
Summary: Missing selinux rules/labels for /etc/xen (and possibly other places).
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.5
Hardware: x86_64 Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2010-01-12 16:11 UTC by Barry Marson
Modified: 2012-10-15 14:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-30 07:50:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
xml definition used for queuing. Note: TESTDISTRO is replaced with the actual distro (2.18 KB, text/xml)
2010-01-12 16:11 UTC, Barry Marson
no flags Details
audit.log from dell-pe6800-01.rhts.bos.redhat.com (44.92 KB, text/plain)
2010-01-12 16:12 UTC, Barry Marson
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Barry Marson 2010-01-12 16:11:19 UTC
Created attachment 383271 [details]
xml definition used for queuing.  Note: TESTDISTRO is replaced with the actual distro

Description of problem:

Getting a failure with the automated RHTS scripts for staging Xen guests.  I cant write into /etc/xen to update guest config file because there are no appropriate rules or labels.  The RHTS test that fails is:


The avc message received was:

time->Mon Jan 11 13:18:28 2010
type=SYSCALL msg=audit(1263233908.916:16): arch=c000003e syscall=2 success=no exit=-13 a0=7fff29480f50 a1=241 a2=180 a3=6e65783d65676469 items=0 ppid=28137 pid=28162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1263233908.916:16): avc:  denied  { write } for  pid=28162 comm="virsh" name="guest1" dev=dm-0 ino=121798830 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
/bin/grep avc: /tmp/dmesg.log | /bin/grep --invert-match granted

and can be seen in job


This needs to work to change processor and memory configuration of a guest.  Default for guest staging is whopping 1VCPU and 512MB.  Workarounds are inappropriate. Ie., running unconstrained, or with selinux disabled/permissive.

I am attaching my XML that queues this job as well as the audit.log


Version-Release number of selected component (if applicable):

DISTRO RHEL5.5-Server-20091227.0

How reproducible:
Every time

Steps to Reproduce:
1. See attached XML for queuing the job
Actual results:

Expected results:

Additional info:

Comment 1 Barry Marson 2010-01-12 16:12:29 UTC
Created attachment 383272 [details]
audit.log from dell-pe6800-01.rhts.bos.redhat.com

Comment 2 Daniel Walsh 2010-01-12 16:52:02 UTC
Miroslav add:

/etc/xen		-d	gen_context(system_u:object_r:virt_etc_t,s0)
/etc/xen/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
/etc/xen/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)

to xen.te

Comment 3 Miroslav Grepl 2010-01-12 17:50:00 UTC
Fixed in selinux-policy-2.4.6-270.el5

Comment 7 errata-xmlrpc 2010-03-30 07:50:59 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 8 Ralph Angenendt 2010-05-21 12:51:37 UTC
This still does not work, when you have symbolic links going from 

/etc/xen/auto to /etc/xen.

After updating to the policy version in the errata file (or by going from 5.4 to 5.5 at the moment), those links are relabeled as 


Running (for example) "service xendomains status" leads to this denial:

type=AVC msg=audit(1274304143.935:17): avc: denied { read } for pid=5769 comm="xm" name="gembox" dev=dm-0 ino=413828 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file

The reporter of http://bugs.centos.org/view.php?id=4329 even said that his domains did not autostart after relabeling, something I couldn't recreate.

But: If I remove a link which got labeled as system_u:object_r:virt_etc_t and recreate it, it gets a different label:

lrwxrwxrwx  root root user_u:object_r:etc_t            kiste -> /etc/xen/kiste

Labeled this way, "service xendomain status works", as that seems to be a broader context in which more applications are allowed to read.

Note You need to log in before you can comment on or make changes to this bug.