Created attachment 597572 [details]
Output from sealert
Description of problem:
SELinux prevents xend on Fedora 17 from starting virtual machines if the user isn't using libvirt to manage the virtual machines.
Version-Release number of selected component (if applicable):
Ensure that SELinux is in enforcing mode and attempt to start a virtual machine using "xm create <vm_name>".
Steps to Reproduce:
1. setenforce 1
2. xm create <vm_name>
3. virtual machine will not start -- SELinux denials are logged
Virtual machines will not start.
Virtual machines should start
Here is the output from /var/log/messages:
setroubleshoot: SELinux is preventing /usr/bin/python2.7 from read access on the file group. For complete SELinux messages. run sealert -l b1392df4-dda4-4b82-914c-1e20c62fc898
setroubleshoot: SELinux is preventing /usr/bin/python2.7 from setattr access on the chr_file 1. For complete SELinux messages. run sealert -l 3e09edc3-aeb7-49f5-96e1-d8148afda48f
setroubleshoot: SELinux is preventing /usr/bin/python2.7 from execute access on the file pt_chown. For complete SELinux messages. run sealert -l 86395f09-5f33-4f66-8d02-519b61e54139
I put the sealert messages in a gist on GitHub since they're a little lengthy (they're also attached to this bug report):
Major, adding those three ALLOW rules fixed the problem?
Dan, I ended up going this route:
grep xend /var/log/audit/audit.log | audit2allow -M custom_xen
semodule -i custom_xen.pp
After that I was able to start the VM's without a hitch.
If you execute
$ semanage permissive -a xend_t
Do you get more AVC msgs?
With the custom_xen.pp module still installed, I see the following after starting an instance with "xm create":
Did you want me to pull out the custom_xen.pp module I made and try to start the instance? I could probably capture all of the AVC's that way.
Fixed in selinux-policy-3.10.0-138.fc17.noarch
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.