Created attachment 597572 [details] Output from sealert Description of problem: SELinux prevents xend on Fedora 17 from starting virtual machines if the user isn't using libvirt to manage the virtual machines. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-134.fc17.noarch selinux-policy-targeted-3.10.0-134.fc17.noarch xen-4.1.2-20.fc17.x86_64 How reproducible: Ensure that SELinux is in enforcing mode and attempt to start a virtual machine using "xm create <vm_name>". Steps to Reproduce: 1. setenforce 1 2. xm create <vm_name> 3. virtual machine will not start -- SELinux denials are logged Actual results: Virtual machines will not start. Expected results: Virtual machines should start Additional info: Here is the output from /var/log/messages: setroubleshoot: SELinux is preventing /usr/bin/python2.7 from read access on the file group. For complete SELinux messages. run sealert -l b1392df4-dda4-4b82-914c-1e20c62fc898 setroubleshoot: SELinux is preventing /usr/bin/python2.7 from setattr access on the chr_file 1. For complete SELinux messages. run sealert -l 3e09edc3-aeb7-49f5-96e1-d8148afda48f setroubleshoot: SELinux is preventing /usr/bin/python2.7 from execute access on the file pt_chown. For complete SELinux messages. run sealert -l 86395f09-5f33-4f66-8d02-519b61e54139 I put the sealert messages in a gist on GitHub since they're a little lengthy (they're also attached to this bug report): https://gist.github.com/3090278
Major, adding those three ALLOW rules fixed the problem?
Dan, I ended up going this route: grep xend /var/log/audit/audit.log | audit2allow -M custom_xen semodule -i custom_xen.pp After that I was able to start the VM's without a hitch.
If you execute $ semanage permissive -a xend_t re-test it Do you get more AVC msgs?
With the custom_xen.pp module still installed, I see the following after starting an instance with "xm create": https://gist.github.com/3100859 Did you want me to pull out the custom_xen.pp module I made and try to start the instance? I could probably capture all of the AVC's that way.
Fixed in selinux-policy-3.10.0-138.fc17.noarch
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Package selinux-policy-3.10.0-142.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.