Vanilla F7 install + Xen: selinux problems on guest creation.
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 20 10:47:46 UTC 2007
Mike Carney wrote:
> Greetings,
>
> Just installed F7 from DVD, and installed Xen/Xen kernel. Then ran yum to
> pick up the latest updates. When attempting to create a F7 guest using
> virt-install, I see the following errors in the audit.log, and the creation
> fails:
>
> type=AVC msg=audit(1181917818.119:37): avc: denied { write } for pid=3032
> comm="block" name="xen" dev=sda7 ino=29298
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
> type=SYSCALL msg=audit(1181917818.119:37): arch=40000003 syscall=5
> success=no exit=-13 a0=9aba538 a1=8441 a2=1b6 a3=8441 items=0 ppid=3029
> pid=3032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="block" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1181917818.139:38): avc: denied { write } for pid=3041
> comm="vif-bridge" name="xen" dev=sda7 ino=29298
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
> type=SYSCALL msg=audit(1181917818.139:38): arch=40000003 syscall=5
> success=no exit=-13 a0=9947ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3035
> pid=3041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1181917918.741:55): avc: denied { write } for pid=3269
> comm="vif-bridge" name="xen" dev=sda7 ino=29298
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
> type=SYSCALL msg=audit(1181917918.741:55): arch=40000003 syscall=5
> success=no exit=-13 a0=84f7ad0 a1=8441 a2=1b6 a3=8441 items=0 ppid=3266
> pid=3269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="vif-bridge" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1181917918.853:56): avc: denied { write } for pid=3290
> comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
> type=SYSCALL msg=audit(1181917918.853:56): arch=40000003 syscall=5
> success=no exit=-13 a0=850db58 a1=8441 a2=1b6 a3=8441 items=0 ppid=3275
> pid=3290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1181917918.893:57): avc: denied { write } for pid=3289
> comm="block" name="xen" dev=sda7 ino=29298
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
> type=SYSCALL msg=audit(1181917918.893:57): arch=40000003 syscall=5
> success=no exit=-13 a0=9b4d548 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268
> pid=3289 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="block" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1181917918.941:58): avc: denied { write } for pid=3300
> comm="xen-hotplug-cle" name="xen" dev=sda7 ino=29298
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:xend_var_log_t:s0 tclass=dir
> type=SYSCALL msg=audit(1181917918.941:58): arch=40000003 syscall=5
> success=no exit=-13 a0=930fb68 a1=8441 a2=1b6 a3=8441 items=0 ppid=3268
> pid=3300 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="xen-hotplug-cle" exe="/bin/bash"
> subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
>
> audit2allow recommends the following policy rule:
> audit2allow < audit.log
>
>
> #============= udev_t ==============
> allow udev_t xend_var_log_t:dir write;
>
> Has this fix already been made, or do I need to load this change into the
> policy db myself?
>
> Thanks!
>
>
Try selinux-policy-2.6.4-20 in fedora-testing.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list