View Issue Details

IDProjectCategoryView StatusLast Update
0004329CentOS-5selinux-policypublic2010-05-21 12:53
Reportergem 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version5.5 
Target VersionFixed in Version 
Summary0004329: Missing selinux rules/labels for /etc/xen
DescriptionAfter upgrading 5.4 to 5.5 xendomains cannot access /etc/xen files due to selinux policy; after rebooting dom0 the /etc/xen/auto domUs don't start; starting domUs manually with 'xm create <vmname>' works fine; running '/etc/init.d/xendomains status' returns:

Error: Unable to open config file: /etc/xen/auto/<vmname>

after setting selinux to permissive or disabled the problem disappear;
the same problem is addressed by the upstream bug '554777' and fixed in selinux-policy-2.4.6-270.el5; current version on CentOS 5.5 is
Name : selinux-policy
Version : 2.4.6
Release : 279.el5
Additional Informationmessages in /var/log/audit/audit.log

type=AVC msg=audit(1274344157.865:144): avc: denied { read } for pid=9866 comm="xm" name="FootPrints" dev=dm-0 ino=413822 scontext=root:system_r:xm_t:s0 t
context=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1274344157.865:144): arch=40000003 syscall=195 success=no exit=-13 a0=8aeaca8 a1=bf978ee8 a2=af9ff4 a3=8a9c1b0 items=0 ppid=9865 pid=9
866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="xm" exe="/usr/bin/python" subj=root:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1274344157.865:145): avc: denied { read } for pid=9866 comm="xm" name="<vmname>" dev=dm-0 ino=413822 scontext=root:system_r:xm_t:s0 t
context=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
TagsNo tags attached.

Activities

range

range

2010-05-20 09:57

administrator   ~0011304

I cannot reproduce that:

root@lillesand:~# uname -a
Linux lillesand.br.de 2.6.18-194.3.1.el5xen #1 SMP Thu May 13 13:49:53 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
root@lillesand:~# uptime
 11:53:19 up 4 min, 1 user, load average: 0.08, 0.24, 0.11
root@lillesand:~# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 6453 4 r----- 56.0
kiste 1 519 1 -b---- 4.0
nagios-test 2 511 1 -b---- 1.7
on3-backup 3 511 1 -b---- 0.1
root@lillesand:~# grep virt_etc_rw /var/log/audit/audit.log
root@lillesand:~# rpm -q selinux-policy
selinux-policy-2.4.6-279.el5.noarch

This machine has just been updated:
root@lillesand:~# date
Do 20. Mai 11:56:15 CEST 2010
root@lillesand:~# rpm -qa --last | head -1
NetworkManager-0.7.0-10.el5 Do 20 Mai 2010 11:36:29 CEST


So could you please do a "touch /.autorelabel" and then reboot the machine? And see if the issue still persists?
range

range

2010-05-20 10:02

administrator   ~0011305

xendomains status really does not work when ran from the command line.
gem

gem

2010-05-20 12:55

reporter   ~0011310

After rebooting selinux did relabeled the files, but again autostart of domUs doesn't work.

[root@rx300 ~]# uname -a
Linux rx300.gem.local 2.6.18-194.el5xen #1 SMP Fri Apr 2 16:16:54 EDT 2010 i686 i686 i386 GNU/Linux
[root@rx300 ~]# uptime
 14:29:43 up 5:40, 1 user, load average: 0.07, 0.06, 0.01
[root@rx300 ~]# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 3813 4 r----- 1513.3
FootPrints 5 1499 1 -b---- 2869.8
gembox 3 399 1 -b---- 84.2
remlog 4 399 1 -b---- 155.3
zimbra 2 1999 2 -b---- 6837.6
[root@rx300 ~]# grep virt_etc_rw /var/log/audit/audit.log
type=AVC msg=audit(1274304143.679:11): avc: denied { read } for pid=5747 comm="xm" name="FootPrints" dev=dm-0 ino=413822 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=AVC msg=audit(1274304143.935:17): avc: denied { read } for pid=5769 comm="xm" name="gembox" dev=dm-0 ino=413828 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=AVC msg=audit(1274304144.187:23): avc: denied { read } for pid=5790 comm="xm" name="remlog" dev=dm-0 ino=413736 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=AVC msg=audit(1274304144.439:29): avc: denied { read } for pid=5811 comm="xm" name="zimbra" dev=dm-0 ino=412690 scontext=system_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file

... truncated; the same lines appear many times


[root@rx300 ~]# rpm -q selinux-policy
selinux-policy-2.4.6-279.el5
[root@rx300 ~]# date
Thu May 20 14:32:15 CEST 2010
[root@rx300 ~]# rpm -qa --last | head -1
xen-3.0.3-105.el5 Wed 19 May 2010 11:03:21 AM CEST
[root@rx300 ~]# touch /.autorelabel
[root@rx300 ~]# reboot

....


[root@rx300 ~]# ls -lZR /etc/xen/

/etc/xen/:
drwxr-xr-x root root system_u:object_r:virt_etc_rw_t auto
-rw-r--r-- root root system_u:object_r:virt_etc_t FootPrints
-rw-r--r-- root root system_u:object_r:virt_etc_t FPTest
-rw-r--r-- root root system_u:object_r:virt_etc_t gembox
-rw-r--r-- root root system_u:object_r:virt_etc_t gemboxtest
-rwxr-xr-x root root system_u:object_r:bin_t qemu-ifup
-rw-r--r-- root root system_u:object_r:virt_etc_t remlog
drwxr-xr-x root root system_u:object_r:bin_t scripts
-rw-r--r-- root root system_u:object_r:virt_etc_t xend-config.sxp
-rw-r--r-- root root system_u:object_r:virt_etc_t xend-config.sxp.rpmold
-rw-r--r-- root root system_u:object_r:virt_etc_t xend-pci-permissive.sxp
-rw-r--r-- root root system_u:object_r:virt_etc_t xend-pci-quirks.sxp
-rw-r--r-- root root system_u:object_r:virt_etc_t xmexample1
-rw-r--r-- root root system_u:object_r:virt_etc_t xmexample2
-rw-r--r-- root root system_u:object_r:virt_etc_t xmexample.hvm
-rw-r--r-- root root system_u:object_r:virt_etc_t xmexample.vti
-rw-r--r-- root root system_u:object_r:virt_etc_t zimbra
-rw-r--r-- root root system_u:object_r:virt_etc_t zimbratest

/etc/xen/auto:
lrwxrwxrwx root root system_u:object_r:virt_etc_rw_t FootPrints -> /etc/xen/FootPrints
lrwxrwxrwx root root system_u:object_r:virt_etc_rw_t gembox -> /etc/xen/gembox
lrwxrwxrwx root root system_u:object_r:virt_etc_rw_t remlog -> /etc/xen/remlog
lrwxrwxrwx root root system_u:object_r:virt_etc_rw_t zimbra -> /etc/xen/zimbra

/etc/xen/scripts:
-rwxr-xr-x root root system_u:object_r:bin_t blktap
-rwxr-xr-x root root system_u:object_r:bin_t block
-rw-r--r-- root root system_u:object_r:bin_t block-common.sh
-rwxr-xr-x root root system_u:object_r:bin_t block-enbd
-rwxr-xr-x root root system_u:object_r:bin_t block-nbd
-rwxr-xr-x root root system_u:object_r:bin_t external-device-migrate
-rwxr-xr-x root root root:object_r:bin_t gem-network-bridge
-rw-r--r-- root root system_u:object_r:bin_t locking.sh
-rw-r--r-- root root system_u:object_r:bin_t logging.sh
-rwxr-xr-x root root system_u:object_r:bin_t network-bridge
-rwxr-xr-x root root system_u:object_r:bin_t network-bridge-bonding
-rwxr-xr-x root root system_u:object_r:bin_t network-nat
-rwxr-xr-x root root system_u:object_r:bin_t network-route
-rwxr-xr-x root root system_u:object_r:bin_t vif-bridge
-rw-r--r-- root root system_u:object_r:bin_t vif-common.sh
-rwxr-xr-x root root system_u:object_r:bin_t vif-nat
-rwxr-xr-x root root system_u:object_r:bin_t vif-route
-rwxr-xr-x root root system_u:object_r:bin_t vtpm
-rw-r--r-- root root system_u:object_r:bin_t vtpm-common.sh
-rwxr-xr-x root root system_u:object_r:bin_t vtpm-delete
-rw-r--r-- root root system_u:object_r:bin_t vtpm-hotplug-common.sh
-rw-r--r-- root root system_u:object_r:bin_t vtpm-impl
-rw-r--r-- root root system_u:object_r:bin_t vtpm-migration.sh
-rwxr-xr-x root root system_u:object_r:bin_t xen-hotplug-cleanup
-rw-r--r-- root root system_u:object_r:bin_t xen-hotplug-common.sh
-rw-r--r-- root root system_u:object_r:bin_t xen-network-common-bonding.sh
-rw-r--r-- root root system_u:object_r:bin_t xen-network-common.sh
-rw-r--r-- root root system_u:object_r:bin_t xen-script-common.sh
[root@rx300 ~]#


again 'xm create <vmnam>' works.
gem

gem

2010-05-20 12:58

reporter   ~0011311

[root@rx300 ~]# /etc/init.d/xendomains status
Checking for xendomains:Error: Unable to open config file: /etc/xen/auto/FootPrints
Error: Unable to open config file: /etc/xen/auto/gembox
Error: Unable to open config file: /etc/xen/auto/remlog
Error: Unable to open config file: /etc/xen/auto/zimbra
 MISS AUTO: [dead] [FAILED]
[root@rx300 ~]#
range

range

2010-05-20 13:39

administrator   ~0011312

> [root@rx300 ~]# xm list
> Name ID Mem(MiB) VCPUs State Time(s)
> Domain-0 0 3813 4 r----- 1513.3
> FootPrints 5 1499 1 -b---- 2869.8
> gembox 3 399 1 -b---- 84.2
> remlog 4 399 1 -b---- 155.3
> zimbra 2 1999 2 -b---- 6837.6

Ummm. Correct me if I am wrong, but doesn't that mean that they *are* running?
gem

gem

2010-05-20 14:00

reporter   ~0011313

Yes, now they are. But I had to start them manually using xm create from command line; until the last upgrade 5.5 they used to start automatically when dom0 boot up, now they don't; /etc/init.d/xendomains status used to show [OK] and now it doesn't; in /var/log/audit/audit.log now I find many errors related to xen and before the upgrade it was not so; if I disable selinux everything works fine; it seems to me that selinux has something wrong with xen config files; RedHat has a bug ('554777') for a similar problem.
range

range

2010-05-20 14:49

administrator   ~0011315

As said, I cannot reproduce this. Mine have started automatically. And yes, this is supposed to be fixed in the version which is in CentOS 5.5 - the question is: Can that be reproduced on RHEL? Or is it an issue which only CentOS has?
gem

gem

2010-05-20 15:21

reporter   ~0011316

I'm running on CentOS, no RHEL; I was just googling around for my problem and found the RHEL bug;
range

range

2010-05-20 18:46

administrator   ~0011320

Something I cannot test right now: What happens if you do not softlink the file, but put a hard link there (I guess I can test tomorrow)?
gem

gem

2010-05-21 08:21

reporter   ~0011321

Replacing symlinks with hardlinks in /etc/xen/auto/ solves the problem:

[root@rx300 auto]# ll -Z
-rw-r--r-- root root system_u:object_r:virt_etc_t FootPrints
-rw-r--r-- root root system_u:object_r:virt_etc_t gembox
-rw-r--r-- root root system_u:object_r:virt_etc_t remlog
-rw-r--r-- root root system_u:object_r:virt_etc_t zimbra
[root@rx300 auto]# /etc/init.d/xendomains status
Checking for xendomains: FootPrints gembox remlog zimbra[ru[ OK ]
[root@rx300 auto]#

Anyway, the symlinks used to work in version 5.4

If I create a new symlink in /etc/xen/auto/ it gets the "root:object_r:virt_etc_rw_t" label and xendomains still can't read it.
range

range

2010-05-21 09:04

administrator   ~0011322

Then that seems to be a bug in upstream's SELinux policy. Do you want to add to the upstream ticket or do you want me to do that?
gem

gem

2010-05-21 10:14

reporter   ~0011323

I prefer you to do that, thank you so much.
If you need some other information don't hesitate...
range

range

2010-05-21 12:53

administrator   ~0011324

Updated https://bugzilla.redhat.com/show_bug.cgi?id=554777 but I cannot reopen it.

Issue History

Date Modified Username Field Change
2010-05-20 08:33 gem New Issue
2010-05-20 09:57 range Note Added: 0011304
2010-05-20 10:02 range Note Added: 0011305
2010-05-20 12:55 gem Note Added: 0011310
2010-05-20 12:58 gem Note Added: 0011311
2010-05-20 13:39 range Note Added: 0011312
2010-05-20 14:00 gem Note Added: 0011313
2010-05-20 14:49 range Note Added: 0011315
2010-05-20 15:21 gem Note Added: 0011316
2010-05-20 18:46 range Note Added: 0011320
2010-05-21 08:21 gem Note Added: 0011321
2010-05-21 09:04 range Note Added: 0011322
2010-05-21 10:14 gem Note Added: 0011323
2010-05-21 12:53 range Note Added: 0011324