SELinux is preventing /usr/bin/python from 'read' accesses on the blk_file drbd0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed read access on the drbd0 blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep xend /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:xend_t:s0 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects drbd0 [ blk_file ] Source xend Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.7.1-7.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 3 First Seen Wed 07 Sep 2011 11:24:58 PM CDT Last Seen Wed 07 Sep 2011 11:31:22 PM CDT Local ID 239dff29-105f-40a2-9dd3-0d1f98a4e24d Raw Audit Messages type=AVC msg=audit(1315456282.277:125): avc: denied { read } for pid=2891 comm="xend" name="drbd0" dev=devtmpfs ino=18724 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file type=SYSCALL msg=audit(1315456282.277:125): arch=i386 syscall=access success=no exit=EACCES a0=b5314ce0 a1=4 a2=47b126cc a3=b67046c0 items=0 ppid=1 pid=2891 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=xend exe=/usr/bin/python subj=system_u:system_r:xend_t:s0 key=(null) Hash: xend,xend_t,fixed_disk_device_t,blk_file,read audit2allow #============= xend_t ============== allow xend_t fixed_disk_device_t:blk_file read; audit2allow -R #============= xend_t ============== allow xend_t fixed_disk_device_t:blk_file read;
Is there a reason you are using xend rather then libvirt? Miroslav we should probably just run xend as unconfined, or we need to force people to do labeling of devices. If you change the label on this device to xen_image_t the avc will go away. Is /dev/drbd0 a xen image?