959804 – SELinux prevents systemd xendomains.service from auto starting/stopping guests due to lock file read denial

Bug 959804 - SELinux prevents systemd xendomains.service from auto starting/stopping guests due to lock file read denial

Summary: SELinux prevents systemd xendomains.service from auto starting/stopping guest...

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	i686
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-05 22:55 UTC by Robby
Modified:	2013-10-25 11:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.11.1-95.fc18
Clone Of:
Environment:
Last Closed:	2013-10-25 11:39:19 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robby 2013-05-05 22:55:05 UTC

Description of problem:
SELinux policy prevents systemd service xendomains.service from starting up/shutting down DomUs because it fails to read the lock file, whereas running '/usr/libexec/xendomains start' manually does work.

Version-Release number of selected component (if applicable):
3.11.1-92

How reproducible:
Always

Steps to reproduce:
1. Put xen config files into /etc/xen/auto
2. Reboot xen host machine (or: systemctl start xendomains.service)
  
Actual results:
type=AVC msg=audit(1367793624.386:438): avc:  denied  { read } for  pid=5117 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file

Expected results:
No denials.

Comment 1 Robby 2013-05-05 22:59:22 UTC

I forgot to add the output of 'systemctl status xendomains.service':
xendomains[5095]: Starting auto Xen domains: xl-vserver01-lvm-run.pvmcannot open the lockfile /var/lock/xl errno=13
xendomains[5095]: [done]
systemd[1]: Started Xendomains - start and stop guests on boot and shutdown.

Comment 2 Robby 2013-05-05 23:11:37 UTC

'systemctl stop xendomains.service' output:
systemd[1]: Stopping Xendomains - start and stop guests on boot and shutdown...
xendomains[5454]: Shutting down Xen domains:  [done]
systemd[1]: Stopped Xendomains - start and stop guests on boot and shutdown.

And in audit.log this appears:
type=AVC msg=audit(1367795320.749:472): avc:  denied  { read } for  pid=5465 comm="xl" name="userdata-d.7.a5bc860a-fbc8-407c-aac5-ad643c1972d3.xl" dev="sdb2" ino=262485 scontext=system_u:system_r:virsh_t:s0 tcontext=unconfined_u:object_r:xend_var_lib_t:s0 tclass=file

Comment 3 Miroslav Grepl 2013-05-06 07:45:25 UTC

commit 4bb30d356b08eae5c926a7fcf067fbce8abac9cb
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 6 09:44:31 2013 +0200

    Allow virsh_t to read xen lock file

Comment 4 Fedora Update System 2013-05-07 21:30:31 UTC

selinux-policy-3.11.1-94.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-94.fc18

Comment 5 Fedora Update System 2013-05-09 10:12:59 UTC

Package selinux-policy-3.11.1-94.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-94.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-7743/selinux-policy-3.11.1-94.fc18
then log in and leave karma (feedback).

Comment 6 Robby 2013-05-09 18:35:44 UTC

I have installed the test package but unfortunately the same problem persists.

Comment 7 Robby 2013-05-09 18:46:43 UTC

By same problem I mean it still cannot read the lock file.
Is there maybe some step I need to perform after updating selinux-policy?

Comment 8 Miroslav Grepl 2013-05-10 08:55:35 UTC

You are right, I see bug in the fix. You can allow it for now using

# grep xend_var_lib_t /var/log/audit/audit.log |audit2allow -M mypol
# semodule -i mypol.pp

Comment 9 Miroslav Grepl 2013-05-10 08:57:54 UTC

commit 7b3f982e1a4a5fa1251129b786f5d021d52a1543
Author: Miroslav Grepl <mgrepl>
Date:   Fri May 10 10:57:24 2013 +0200

    Allow virsh_t to read xen lib files

Comment 10 Robby 2013-05-10 18:19:05 UTC

Thanks for that, I can wait for an update though, I don't really need my own semodule at this point, but good to know.

Does your new commit also fix the access for /run/lock (var_lock_t)?
For this:
type=AVC msg=audit(1367793624.386:438): avc:  denied  { read } for  pid=5117 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file

Comment 11 Fedora Update System 2013-05-17 10:59:34 UTC

selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18

Comment 12 Fedora Update System 2013-05-19 02:43:04 UTC

Package selinux-policy-3.11.1-95.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-95.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8591/selinux-policy-3.11.1-95.fc18
then log in and leave karma (feedback).

Comment 13 Robby 2013-05-19 07:43:42 UTC

Sadly I still have to report failure with this new update:
type=AVC msg=audit(1368949285.954:411): avc:  denied  { read } for  pid=4156 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file

Comment 14 Miroslav Grepl 2013-05-20 11:10:48 UTC

Is there a virsh lock file in /var/lock?

Comment 15 Robby 2013-05-20 17:40:02 UTC

No, only the xl lock file:
--w-------. 1 unconfined_u:object_r:var_lock_t:s0 root root  0 May 19 09:45 xl

Comment 16 Daniel Walsh 2013-05-20 18:43:23 UTC

ea90521897da6dab2ff4f4e7343bad10d12da064 fixes this in git.

Comment 17 Robby 2013-05-21 08:19:52 UTC

Great! Now, I see that selinux-policy-3.11.1-96.fc18 is already up for testing, but sadly this last fix is the only one that did not make it in. If it could be rebuild with this fix that would nice.

Comment 18 Fedora Update System 2013-05-21 08:38:49 UTC

selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Robby 2013-05-31 13:12:32 UTC

I have now updated to selinux-policy-3.11.1-97.fc18, but again I have to report failure. xendomains.service still fails to bring up the virtual machines.

Upon a 'systemctl start xendomains.service', in /var/log/messages this error appears:
cannot open the lockfile /var/lock/xl errno=13

And in /var/log/audit/audit.log this appears:
type=AVC msg=audit(1370005584.597:378): avc:  denied  { read } for  pid=4388 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005584.597:378): arch=40000003 syscall=33 success=no exit=-13 a0=805ff71 a1=0 a2=806b000 a3=806b800 items=0 ppid=4387 pid=4388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005584.597:379): avc:  denied  { read } for  pid=4388 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005584.597:379): arch=40000003 syscall=33 success=no exit=-13 a0=805ff87 a1=0 a2=806b000 a3=806b800 items=0 ppid=4387 pid=4388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005584.624:380): avc:  denied  { read } for  pid=4393 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005584.624:380): arch=40000003 syscall=33 success=no exit=-13 a0=805ff71 a1=0 a2=806b000 a3=806b800 items=0 ppid=4370 pid=4393 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005584.624:381): avc:  denied  { read } for  pid=4393 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005584.624:381): arch=40000003 syscall=33 success=no exit=-13 a0=805ff87 a1=0 a2=806b000 a3=806b800 items=0 ppid=4370 pid=4393 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005584.626:382): avc:  denied  { read } for  pid=4393 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005584.626:382): arch=40000003 syscall=5 success=no exit=-13 a0=89606b8 a1=8041 a2=80 a3=bfb61f65 items=0 ppid=4370 pid=4393 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005589.660:383): avc:  denied  { read } for  pid=4401 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005589.660:383): arch=40000003 syscall=33 success=no exit=-13 a0=805ff71 a1=0 a2=806b000 a3=806b800 items=0 ppid=4400 pid=4401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005589.660:384): avc:  denied  { read } for  pid=4401 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005589.660:384): arch=40000003 syscall=33 success=no exit=-13 a0=805ff87 a1=0 a2=806b000 a3=806b800 items=0 ppid=4400 pid=4401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005589.683:385): avc:  denied  { read } for  pid=4406 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005589.683:385): arch=40000003 syscall=33 success=no exit=-13 a0=805ff71 a1=0 a2=806b000 a3=806b800 items=0 ppid=4370 pid=4406 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005589.684:386): avc:  denied  { read } for  pid=4406 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005589.684:386): arch=40000003 syscall=33 success=no exit=-13 a0=805ff87 a1=0 a2=806b000 a3=806b800 items=0 ppid=4370 pid=4406 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005589.685:387): avc:  denied  { read } for  pid=4406 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005589.685:387): arch=40000003 syscall=5 success=no exit=-13 a0=99ea6b8 a1=8041 a2=80 a3=bff64f65 items=0 ppid=4370 pid=4406 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=SERVICE_START msg=audit(1370005594.705:388): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="xendomains" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Upon a 'systemctl stop xendomains.service', in /var/log/audit/audit.log this appears:
type=AVC msg=audit(1370005601.741:389): avc:  denied  { read } for  pid=4419 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005601.741:389): arch=40000003 syscall=33 success=no exit=-13 a0=805ff71 a1=0 a2=806b000 a3=806b800 items=0 ppid=4418 pid=4419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005601.741:390): avc:  denied  { read } for  pid=4419 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005601.741:390): arch=40000003 syscall=33 success=no exit=-13 a0=805ff87 a1=0 a2=806b000 a3=806b800 items=0 ppid=4418 pid=4419 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005601.757:391): avc:  denied  { read } for  pid=4422 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005601.757:391): arch=40000003 syscall=33 success=no exit=-13 a0=805ff71 a1=0 a2=806b000 a3=806b800 items=0 ppid=4421 pid=4422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=AVC msg=audit(1370005601.757:392): avc:  denied  { read } for  pid=4422 comm="xl" name="lock" dev="sdb2" ino=262201 scontext=system_u:system_r:virsh_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1370005601.757:392): arch=40000003 syscall=33 success=no exit=-13 a0=805ff87 a1=0 a2=806b000 a3=806b800 items=0 ppid=4421 pid=4422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="xl" exe="/usr/sbin/xl" subj=system_u:system_r:virsh_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1370005601.799:393): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="xendomains" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Comment 20 Miroslav Grepl 2013-06-04 12:23:28 UTC

Could you try to execute

# systemctl stop xendomains.service

remove the lock file and try to start the service.

Comment 21 Robby 2013-06-05 18:59:28 UTC

Okay, I tried it, even rebooted the machine, verified that the file was gone, and then tried to start the service, but the same messages keep appearing.

Comment 22 Miroslav Grepl 2013-06-10 11:52:22 UTC

Milos,
could we setup a machine with Xen?

Note You need to log in before you can comment on or make changes to this bug.