Vanilla F7 install + Xen: selinux problems on guest creation.
Mike Carney
mc-al34luc at sbcglobal.net
Fri Jun 15 14:51:31 UTC 2007
Greetings,
Just installed F7 from DVD, and installed Xen/Xen kernel. Then ran yum to
pick up the latest updates. When attempting to create a F7 guest using
virt-install, I see the following errors in the audit.log, and the creation
fails:
type=AVC msg=audit(1181917818.119:37): avc: denied { write } for pid=3032
comm="block" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917818.119:37): arch=40000003 syscall=5
success=no exit=-13 a0=9aba538 a1=8441 a2=1b6 a3=8441 items=0 ppid=3029
pid=3032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="block" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917818.139:38): avc: denied { write } for pid=3041
comm="vif-bridge" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917818.139:38): arch=40000003 syscall=5
success=no exit=-13 a0=9947ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3035
pid=3041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.741:55): avc: denied { write } for pid=3269
comm="vif-bridge" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.741:55): arch=40000003 syscall=5
success=no exit=-13 a0=84f7ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3266
pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.853:56): avc: denied { write } for pid=3290
comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.853:56): arch=40000003 syscall=5
success=no exit=-13 a0=850db58 a1=8441 a2=1b6 a3=8441 items=0 ppid=3275
pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.893:57): avc: denied { write } for pid=3289
comm="block" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.893:57): arch=40000003 syscall=5
success=no exit=-13 a0=9b4d548 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268
pid=3289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="block" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1181917918.941:58): avc: denied { write } for pid=3300
comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1181917918.941:58): arch=40000003 syscall=5
success=no exit=-13 a0=930fb68 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268
pid=3300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash"
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
audit2allow recommends the following policy rule:
audit2allow < audit.log
#============= udev_t ==============
allow udev_t xend_var_log_t:dir write;
Has this fix already been made, or do I need to load this change into the
policy db myself?
Thanks!
More information about the fedora-selinux-list
mailing list