Xendomains and SELinux

From MyWiki

Jump to: navigation, search

When running /etc/init.d/xendomains during reboot or manually the error pops up: 

Error: Unable to open config file: /etc/xen/auto/domu1

/etc/xen/auto/domu1 is a link to /etc/xen/vm/domu1 domU configuration file. SELinux again :-)

Tailing the log and trying again: 

tail -f /var/log/audit/audit.log

Here is what the log revealed: 

# cat audit_log.txt

type=SYSCALL msg=audit(1270657701.504:117): arch=c000003e syscall=4 success=no exit=-13 a0=82aa7a0 a1=7fff0e2851d0 a2=7fff0e2851d0 a3=0 items=0 ppid=6671 pid=6735 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1270657701.648:118): avc:  denied  { read } for  pid=6742 comm="xm" name="domu1" dev=dm-0 ino=86096 scontext=user_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1270657701.648:118): arch=c000003e syscall=4 success=no exit=-13 a0=5410630 a1=7fffc4b3f220 a2=7fffc4b3f220 a3=2b1b3d465ee8 items=0 ppid=6741 pid=6742 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1270657701.648:119): avc:  denied  { read } for  pid=6742 comm="xm" name="domu1" dev=dm-0 ino=86096 scontext=user_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1270657701.648:119): arch=c000003e syscall=4 success=no exit=-13 a0=5410630 a1=7fffc4b3f220 a2=7fffc4b3f220 a3=0 items=0 ppid=6741 pid=6742 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1270657701.648:120): avc:  denied  { read } for  pid=6742 comm="xm" name="domu1" dev=dm-0 ino=86096 scontext=user_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1270657701.648:120): arch=c000003e syscall=4 success=no exit=-13 a0=5410630 a1=7fffc4b3f220 a2=7fffc4b3f220 a3=0 items=0 ppid=6741 pid=6742 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1270657701.952:121): avc:  denied  { read } for  pid=6756 comm="xm" name="domu1" dev=dm-0 ino=86096 scontext=user_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1270657701.952:121): arch=c000003e syscall=4 success=no exit=-13 a0=b4b780 a1=7fffc2851940 a2=7fffc2851940 a3=2b5d287a1ee8 items=0 ppid=6671 pid=6756 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1270657701.952:122): avc:  denied  { read } for  pid=6756 comm="xm" name="domu1" dev=dm-0 ino=86096 scontext=user_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1270657701.952:122): arch=c000003e syscall=4 success=no exit=-13 a0=b4b780 a1=7fffc2851940 a2=7fffc2851940 a3=0 items=0 ppid=6671 pid=6756 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1270657701.952:123): avc:  denied  { read } for  pid=6756 comm="xm" name="domu1" dev=dm-0 ino=86096 scontext=user_u:system_r:xm_t:s0 tcontext=system_u:object_r:virt_etc_rw_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1270657701.952:123): arch=c000003e syscall=4 success=no exit=-13 a0=b4b780 a1=7fffc2851940 a2=7fffc2851940 a3=0 items=0 ppid=6671 pid=6756 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="xm" exe="/usr/bin/python" subj=user_u:system_r:xm_t:s0 key=(null)

Basically, the current policy (RHEL5 default) doesn't allow xend to follow links and read domU configuration file. New policy module required.

Create new policy module: 

audit2allow -M xendRules < audit_log.txt

Here is the content of xendRules.te 

module xendRules 1.0;

require {
        type xm_t;
        type virt_etc_rw_t;
        class lnk_file read;
}

#============= xm_t ==============
allow xm_t virt_etc_rw_t:lnk_file read;

Loading the new module: 

semodule -i xendRules.pp

And now /etc/init.d/xendomains restart works fine.

Retrieved from "http://www.markelov.org/wiki/index.php?title=Xendomains_and_SELinux"
Personal tools