599540 – /etc/xen/auto SElinux label prevents xm from accessing it

Bug 599540 - /etc/xen/auto SElinux label prevents xm from accessing it

Summary: /etc/xen/auto SElinux label prevents xm from accessing it

Status:	CLOSED DUPLICATE of bug 579497
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-03 13:25 UTC by Tamas Vincze
Modified:	2010-06-03 15:21 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2010-06-03 15:21:00 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tamas Vincze 2010-06-03 13:25:12 UTC

ls -laZ /etc/xen/auto

drwxr-xr-x  root root system_u:object_r:virt_etc_rw_t  .
drwx------  root root system_u:object_r:virt_etc_t     ..
lrwxrwxrwx  root root user_u:object_r:etc_t            files -> ../files
lrwxrwxrwx  root root root:object_r:virt_etc_rw_t      ha -> ../ha

'xendomains start' fires up 'files' but cannot open the config file for 'ha'.
'xm create ha' works fine.

'service xendomains status' prints:
Checking for xendomains: filesError: Unable to open config file: /etc/xen/auto/ha
 mailgw MISS AUTO: [dead]                                  [FAILED]

AVC denial:
type=AVC msg=audit(1275571307.822:96): avc:  denied  { read } for  pid=6514 comm="xm" name="ha" dev=dm-0 ino=819738 scontext=user_u:system_r:xm_t:s0 tcontext=root:object_r:virt_etc_rw_t:s0 tclass=lnk_file

https://bugzilla.redhat.com/show_bug.cgi?id=554777 is closed, but describes the same problem.

Comment 1 Daniel Walsh 2010-06-03 14:00:02 UTC

What policy version are you running?

Comment 2 Tamas Vincze 2010-06-03 14:03:27 UTC

selinux-policy-2.4.6-279.el5

Comment 3 Miroslav Grepl 2010-06-03 15:19:09 UTC

Tamas, 
it will fix in selinux-policy-2.4.6-280.el5.noarch

Preview is available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch

Comment 4 Miroslav Grepl 2010-06-03 15:21:00 UTC


*** This bug has been marked as a duplicate of bug 579497 ***

Note You need to log in before you can comment on or make changes to this bug.