Bug 599540 - /etc/xen/auto SElinux label prevents xm from accessing it
/etc/xen/auto SElinux label prevents xm from accessing it
Status: CLOSED DUPLICATE of bug 579497
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-03 09:25 EDT by Tamas Vincze
Modified: 2010-06-03 11:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-03 11:21:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tamas Vincze 2010-06-03 09:25:12 EDT
ls -laZ /etc/xen/auto

drwxr-xr-x  root root system_u:object_r:virt_etc_rw_t  .
drwx------  root root system_u:object_r:virt_etc_t     ..
lrwxrwxrwx  root root user_u:object_r:etc_t            files -> ../files
lrwxrwxrwx  root root root:object_r:virt_etc_rw_t      ha -> ../ha

'xendomains start' fires up 'files' but cannot open the config file for 'ha'.
'xm create ha' works fine.

'service xendomains status' prints:
Checking for xendomains: filesError: Unable to open config file: /etc/xen/auto/ha
 mailgw MISS AUTO: [dead]                                  [FAILED]

AVC denial:
type=AVC msg=audit(1275571307.822:96): avc:  denied  { read } for  pid=6514 comm="xm" name="ha" dev=dm-0 ino=819738 scontext=user_u:system_r:xm_t:s0 tcontext=root:object_r:virt_etc_rw_t:s0 tclass=lnk_file

https://bugzilla.redhat.com/show_bug.cgi?id=554777 is closed, but describes the same problem.
Comment 1 Daniel Walsh 2010-06-03 10:00:02 EDT
What policy version are you running?
Comment 2 Tamas Vincze 2010-06-03 10:03:27 EDT
selinux-policy-2.4.6-279.el5
Comment 3 Miroslav Grepl 2010-06-03 11:19:09 EDT
Tamas, 
it will fix in selinux-policy-2.4.6-280.el5.noarch

Preview is available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch
Comment 4 Miroslav Grepl 2010-06-03 11:21:00 EDT

*** This bug has been marked as a duplicate of bug 579497 ***

Note You need to log in before you can comment on or make changes to this bug.