Bug 845444 - SELinux is preventing xend from 'search' accesses on the directory .local.
SELinux is preventing xend from 'search' accesses on the directory .local.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Michael Young
Fedora Extras Quality Assurance
abrt_hash:423e001d3cf0d859ca6d6f3f4ba...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-03 02:22 EDT by roddy
Modified: 2012-09-05 19:17 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-21 05:48:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description roddy 2012-08-03 02:22:21 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.5.0-2.fc17.x86_64
time:           ven. 03 août 2012 10:21:50 RET

description:
:SELinux is preventing xend from 'search' accesses on the directory .local.
:
:*****  Plugin xen_image (91.4 confidence) suggests  **************************
:
:If you want to allow xend to have search access on the .local directory
:Then you need to change the label on '.local'
:Do
:# semanage fcontext -a -t xen_image_t '.local'
:# restorecon -v '.local'
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that xend should be allowed search access on the .local directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep xend /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:xend_t:s0
:Target Context                system_u:object_r:gconf_home_t:s0
:Target Objects                .local [ dir ]
:Source                        xend
:Source Path                   xend
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-142.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.0-2.fc17.x86_64 #1
:                              SMP Mon Jul 30 14:48:59 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    ven. 03 août 2012 09:26:28 RET
:Last Seen                     ven. 03 août 2012 09:26:28 RET
:Local ID                      a97dee13-7245-4b7f-be95-fe507abd6046
:
:Raw Audit Messages
:type=AVC msg=audit(1343971588.864:23): avc:  denied  { search } for  pid=749 comm="xend" name=".local" dev="dm-0" ino=419328 scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
:
:
:Hash: xend,xend_t,gconf_home_t,dir,search
:
:audit2allow
:
:#============= xend_t ==============
:allow xend_t gconf_home_t:dir search;
:
:audit2allow -R
:
:#============= xend_t ==============
:allow xend_t gconf_home_t:dir search;
:
Comment 1 Daniel Walsh 2012-08-03 07:44:11 EDT
Any idea why the xend daemon would be searching in your homedir?
Comment 2 roddy 2012-08-03 11:40:03 EDT
(In reply to comment #1)
> Any idea why the xend daemon would be searching in your homedir?
Hi,

I'm so sorry, no idea at all. Anyway thanks for trying.
Comment 3 Daniel Walsh 2012-08-06 10:46:02 EDT
Is xend written in Python?
Comment 4 Michael Young 2012-08-06 11:10:48 EDT
(In reply to comment #3)
> Is xend written in Python?

Yes. It should be run as root to work, so I am not sure why it should be looking at a user's home directory either.
Comment 5 Daniel Walsh 2012-08-06 13:22:32 EDT
Well it is probably looking at /root/.local.


Your python line should look like.


#! /usr/bin/python -Es

man python 

...
       -E     Ignore environment variables like PYTHONPATH and PYTHONHOME that
              modify the behavior of the interpreter.
...
       -s     Don't add user site directory to sys.path.
Comment 6 Fedora Update System 2012-08-07 19:14:21 EDT
xen-4.1.2-25.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/xen-4.1.2-25.fc17
Comment 7 Fedora Update System 2012-08-09 19:14:24 EDT
Package xen-4.1.2-25.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing xen-4.1.2-25.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11615/xen-4.1.2-25.fc17
then log in and leave karma (feedback).
Comment 8 roddy 2012-08-10 03:28:05 EDT
(In reply to comment #7)
> Package xen-4.1.2-25.fc17:
> * should fix your issue,
> * was pushed to the Fedora 17 testing repository,
> * should be available at your local mirror within two days.
> Update it with:
> # su -c 'yum update --enablerepo=updates-testing xen-4.1.2-25.fc17'
> as soon as you are able to.
> Please go to the following url:
> https://admin.fedoraproject.org/updates/FEDORA-2012-11615/xen-4.1.2-25.fc17
> then log in and leave karma (feedback).

Hi,

Xend failed to start at boot after updating to XEN-4.1.2-25.fc17

# systemctl --all | grep failed
nmb.service               loaded failed   failed        Samba NMB Daemon
xend.service              loaded failed   failed        Xend - interface between hypervisor and some applications

# xl list
Name                                        ID   Mem VCPUs      State   Time(s)
(null)                                       0  3884     2     r-----     496.6

# systemctl status xend.service
xend.service - Xend - interface between hypervisor and some applications
          Loaded: loaded (/usr/lib/systemd/system/xend.service; enabled)
          Active: failed (Result: exit-code) since Fri, 10 Aug 2012 11:13:40 +0400; 8min ago
         Process: 2165 ExecStart=/usr/sbin/xend (code=exited, status=127)
         Process: 2162 ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities (code=exited, status=0/SUCCESS)
          CGroup: name=systemd:/system/xend.service

have a nice day.
Comment 9 Fedora Update System 2012-08-10 15:03:07 EDT
xen-4.1.3-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/xen-4.1.3-1.fc17
Comment 10 Fedora Update System 2012-08-10 20:06:23 EDT
xen-4.1.3-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/xen-4.1.3-2.fc17
Comment 11 Fedora Update System 2012-08-21 05:48:10 EDT
xen-4.1.3-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-09-05 19:17:33 EDT
xen-4.1.3-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/xen-4.1.3-3.fc17

Note You need to log in before you can comment on or make changes to this bug.