Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 233777 - virt-manager: abort at virDomainCreateLinux() due to AVC denied
Summary: virt-manager: abort at virDomainCreateLinux() due to AVC denied
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-24 23:10 UTC by ericm24x7
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-08-22 14:17:28 UTC

Attachments (Terms of Use)
output of AVC denied {tapdisk} (deleted)
2007-03-24 23:10 UTC, ericm24x7
no flags Details
AVC denied output: xen-hotplug-cle (udev_t) (deleted)
2007-03-25 00:34 UTC, ericm24x7
no flags Details
AVC denied output: xen read to config.sxp (deleted)
2007-03-25 00:35 UTC, ericm24x7
no flags Details

Description ericm24x7 2007-03-24 23:10:51 UTC
Description of problem:
virt-manager aborting at virDomainCreateLinux() due to selinux access denial
(AVC denied). Here are the summary of the 2 AVC denied messages:
1.  SELinux is preventing /usr/sbin/tapdisk (xend_t) "read" to img
2.  SELinux is preventing /usr/sbin/tapdisk (xend_t) "read" to img

Version-Release number of selected component (if applicable):
virt-manager 0.3.2-1.fc7
xen 3.0.4-9.fc7
selinux-policy 2.5.9-5.fc7

How reproducible:

Steps to Reproduce:
1. run xen environment
2. executie virt-manager
3. sample source install tree:
   sample image: /var/lib/xen/images/img/v41f2.i
   NOTE linked directory: /var/lib/xen/images/img -> /a/img  
Actual results:
virt-manager console display of error message:
ERROR: virDomainCreateLinux() failed POST operation failed: (xend.err 'Device 0
(vif) could not be connected. Hotplug scripts not working.')

Comment 1 ericm24x7 2007-03-24 23:10:51 UTC
Created attachment 150837 [details]
output of AVC denied {tapdisk}

Comment 2 ericm24x7 2007-03-25 00:34:33 UTC
Created attachment 150838 [details]
AVC denied output: xen-hotplug-cle (udev_t)

Comment 3 ericm24x7 2007-03-25 00:35:45 UTC
Created attachment 150839 [details]
AVC denied output: xen  read to config.sxp

Comment 4 Daniel Walsh 2007-03-26 17:38:12 UTC
In the future please add three different Bugzilla's and attach them to the
package not to SELinux, and cc me if you would.   The first one is a bug in
policy, which should allow xend to read symbolic links labeled xen_device_t. 
The second one I am not sure why udev would want to read xend_log_t.  

The third bugzilla looks like a mislabeled config.sxp.  This should not be
labeled tmp_t.  Running restorecon config.sxp would probably fix.  Not sure what
this file is and how it was created but if it was created in /tmp and then mv'd
somewhere it could have the wrong context on it.

Comment 5 Eric Paris 2007-03-30 16:03:37 UTC
"The second one I am not sure why udev would want to read xend_log_t."

I'm not sure either but I saw a machine yesterday where all sorts of scripts
under /etc/xen/scripts (all labeled bin_t) were being called and running in the
udev_t domain.  A search of ps -efZ | grep udev only showed one process running
as udev_t (udev)

does udev new call xen scripts for some reason and didn't used to?

Comment 6 Daniel Walsh 2007-04-10 19:02:14 UTC
Fixed in   selinux-policy-2.5.11-8.fc7

Comment 7 Daniel Walsh 2007-08-22 14:17:28 UTC
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.