Debian Bug report logs - #597403
xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems

version graph

Package: xen-utils-common; Maintainer for xen-utils-common is Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>; Source for xen-utils-common is src:xen.

Reported by: russell@coker.com.au

Date: Sun, 19 Sep 2010 12:48:01 UTC

Severity: important

Tags: moreinfo, wontfix

Found in version xen-common/4.0.0-1

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 12:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
New Bug report received and forwarded. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 12:48:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Sun, 19 Sep 2010 22:45:06 +1000
Package: xen-utils-common
Version: 4.0.0-1
Severity: important

After running modules_setup you need to have the following line:
    [ -x /sbin/restorecon ] && /sbin/restorecon -R /dev/xen


The reason is that the module load causes the kernel to create device nodes in
the devtmpfs.  This bypasses the udev code for labelling the device node and
results in xenstored being unable to access /dev/xen/evtchn and therefore
not working.

In Squeeze+1 this will probably be fixed by upstream changes to the kernel and
udev.

But for Squeeze it would be good if this could get included.  It's one line of
shell code that results in nothing being done if policycoreutils is not
installed.  I can't imagine any way that such a change could break anything.


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xen-utils-common depends on:
ii  gawk                      1:3.1.7.dfsg-5 GNU awk, a pattern scanning and 
pr
ii  lsb-base                  3.2-23.1       Linux Standard Base 3.2 init 
scrip
ii  udev                      160-1          /dev/ and hotplug management 
daemo
ii  xenstore-utils            4.0.1~rc6-1    Xenstore utilities for Xen

xen-utils-common recommends no packages.

xen-utils-common suggests no packages.

-- Configuration Files:
/etc/init.d/xend changed:
PATH=/usr/lib/xen-common/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="Xen daemons"
VERSION=$(xen-version)
ROOT=/usr/lib/xen-$VERSION
XEND="$ROOT"/bin/xend
XENCONSOLED="$ROOT"/bin/xenconsoled
XENCONSOLED_PIDFILE="/var/run/xenconsoled.pid"
XENSTORED="$ROOT"/bin/xenstored
XENSTORED_DIR="/var/run/xenstored"
XENSTORED_PIDFILE="/var/run/xenstore.pid"
[ "$VERSION" ] || exit 0
[ -x "$XEND" ] || exit 0
[ -r /etc/default/xend ] && . /etc/default/xend
. /lib/init/vars.sh
. /lib/lsb/init-functions
modules_setup()
{
	modprobe xenfs 2>/dev/null
	modprobe xen-evtchn 2>/dev/null
}
xenfs_setup()
{
	[ -e "/proc/xen/capabilities" ] && return 0
	log_progress_msg "xenfs"
	[ -d "/proc/xen" ] || return 1
	mount -t xenfs xenfs /proc/xen || return 1
	return 0
}
capability_check()
{
	[ -e "/proc/xen/capabilities" ] || return 1
	grep -q "control_d" /proc/xen/capabilities || return 1
	return 0
}
xend_start()
{
	log_progress_msg "xend"
	$XEND status && return 1
	$XEND start || return 2
	i=0
	while [ $i -lt 10 ]; do
		$XEND status && return 0 || true
		i=$(($i + 1))
		sleep 1
	done
	return 2
}
xend_stop()
{
	log_progress_msg "xend"
	$XEND status || return 0
	$XEND stop || return 1
}
xenconsoled_start()
{
	log_progress_msg "xenconsoled"
	start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE" --
exec "$XENCONSOLED" --test > /dev/null \
		|| return 1
	start-stop-daemon --start --quiet --pidfile "$XENCONSOLED_PIDFILE" --
exec "$XENCONSOLED" -- \
		$XENCONSOLED_ARGS --pid-file="$XENCONSOLED_PIDFILE" \
		|| return 2
}
xenstored_start()
{
	log_progress_msg "xenstored"
	start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE" --
exec "$XENSTORED" --test > /dev/null \
		|| return 1
	[ -d "$XENSTORED_DIR" ] || mkdir -p "$XENSTORED_DIR"
	start-stop-daemon --start --quiet --pidfile "$XENSTORED_PIDFILE" --
exec "$XENSTORED" -- \
		$XENSTORED_ARGS --pid-file="$XENSTORED_PIDFILE" \
		|| return 2
}
case "$1" in
  start)
	log_daemon_msg "Starting $DESC"
	modules_setup
    [ -x /sbin/restorecon ] && /sbin/restorecon -R /dev
	xenfs_setup
	case "$?" in
		0) ;;
		*) log_end_msg 1; exit ;;
	esac
	capability_check
	case "$?" in
		0) ;;
		*) log_end_msg 255; exit ;;
	esac
	xenstored_start
	case "$?" in
		0|1) ;;
		*) log_end_msg 1; exit ;;
	esac
	xenconsoled_start
	case "$?" in
		0|1) ;;
		*) log_end_msg 1; exit ;;
	esac
	xend_start
	case "$?" in
		0|1) ;;
		*) log_end_msg 1; exit ;;
	esac
	log_end_msg 0
	;;
  stop)
	capability_check
	case "$?" in
		0) ;;
		*) exit ;;
	esac
	log_daemon_msg "Stopping $DESC"
	xend_stop
	case "$?" in
		0|1) log_end_msg 0 ;;
		*) log_end_msg 1 ;;
	esac
	;;
  restart|force-reload)
	capability_check
	case "$?" in
		0) ;;
		*) exit ;;
	esac
	log_daemon_msg "Restarting $DESC"
	xend_stop
	case "$?" in
		0|1)
		xend_start
		case "$?" in
			0) log_end_msg 0 ;;
			*) log_end_msg 1 ;;
		esac
		;;
		*) log_end_msg 1 ;;
	esac
	;;
  *)
	echo "Usage: $0 {start|stop|restart|force-reload}" >&2
	exit 3
	;;
esac
exit 0


-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 13:15:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 13:15:12 GMT) Full text and rfc822 format available.

Message #10 received at 597403@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: russell@coker.com.au, 597403@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Sun, 19 Sep 2010 15:13:43 +0200
tags 597403 moreinfo
thanks

On Sun, Sep 19, 2010 at 10:45:06PM +1000, Russell Coker wrote:
> The reason is that the module load causes the kernel to create device nodes in
> the devtmpfs.  This bypasses the udev code for labelling the device node and
> results in xenstored being unable to access /dev/xen/evtchn and therefore
> not working.

No, it does not. The code to create devices in libxc was removed.

> But for Squeeze it would be good if this could get included.  It's one line of
> shell code that results in nothing being done if policycoreutils is not
> installed.  I can't imagine any way that such a change could break anything.

You want do change a undefined number of packages?

Bastian

-- 
Every living thing wants to survive.
		-- Spock, "The Ultimate Computer", stardate 4731.3




Added tag(s) moreinfo. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Sun, 19 Sep 2010 13:15:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 13:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 13:45:08 GMT) Full text and rfc822 format available.

Message #17 received at 597403@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Bastian Blank <waldi@debian.org>
Cc: 597403@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Sun, 19 Sep 2010 23:40:37 +1000
On Sun, 19 Sep 2010, Bastian Blank <waldi@debian.org> wrote:
> On Sun, Sep 19, 2010 at 10:45:06PM +1000, Russell Coker wrote:
> > The reason is that the module load causes the kernel to create device
> > nodes in the devtmpfs.  This bypasses the udev code for labelling the
> > device node and results in xenstored being unable to access
> > /dev/xen/evtchn and therefore not working.
> 
> No, it does not. The code to create devices in libxc was removed.

What is libxc?

The kernel creates the device node /dev/xen/evtchn, the creation process 
bypasses even the kernel auditing layer because it's in the kernel.

http://marc.info/?t=128295019200002&r=1&w=2

The above URL has a link to some of the discussion of this issue by Red Hat 
people.  They are working on a nicer solution, but we can't do that for 
Squeeze.
 
> > But for Squeeze it would be good if this could get included.  It's one
> > line of shell code that results in nothing being done if policycoreutils
> > is not installed.  I can't imagine any way that such a change could
> > break anything.
> 
> You want do change a undefined number of packages?

I want to change every package that has a confined daemon which has a startup 
script that loads a kernel module which creates a devtmpfs node rather than 
just allowing udev to do it.

I don't think that will be many packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 14:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 14:51:05 GMT) Full text and rfc822 format available.

Message #22 received at 597403@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: russell@coker.com.au, 597403@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Sun, 19 Sep 2010 16:46:37 +0200
On Sun, Sep 19, 2010 at 11:40:37PM +1000, Russell Coker wrote:
> On Sun, 19 Sep 2010, Bastian Blank <waldi@debian.org> wrote:
> > On Sun, Sep 19, 2010 at 10:45:06PM +1000, Russell Coker wrote:
> > > The reason is that the module load causes the kernel to create device
> > > nodes in the devtmpfs.  This bypasses the udev code for labelling the
> > > device node and results in xenstored being unable to access
> > > /dev/xen/evtchn and therefore not working.
> > No, it does not. The code to create devices in libxc was removed.
> What is libxc?

The core xen library interface. It used to create devices on its own.
Please check if there is still a mknod permission for Xen related parts
in the selinux policy.

> The kernel creates the device node /dev/xen/evtchn, the creation process 
> bypasses even the kernel auditing layer because it's in the kernel.
> http://marc.info/?t=128295019200002&r=1&w=2
> The above URL has a link to some of the discussion of this issue by Red Hat 
> people.  They are working on a nicer solution, but we can't do that for 
> Squeeze.

My interpretation is: udev needs to change the context for already
existing files the same way it does with the DAC permissions. udev
_still_ gets it hands on the devices, otherwise all the permissions
would be wrong.

> > > But for Squeeze it would be good if this could get included.  It's one
> > > line of shell code that results in nothing being done if policycoreutils
> > > is not installed.  I can't imagine any way that such a change could
> > > break anything.
> > You want do change a undefined number of packages?
> I want to change every package that has a confined daemon which has a startup 
> script that loads a kernel module which creates a devtmpfs node rather than 
> just allowing udev to do it.

If selinux can't cope with devtmpfs, don't use it.

> I don't think that will be many packages.

As you don't seem to know that, please discuss that under
mass-bugfilling rules. Also yoo have to discuss that with the release
team, we are in deep freeze right now.

Bastian

-- 
Vulcans never bluff.
		-- Spock, "The Doomsday Machine", stardate 4202.1




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 14:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 14:57:08 GMT) Full text and rfc822 format available.

Message #27 received at 597403@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Bastian Blank <waldi@debian.org>
Cc: 597403@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Mon, 20 Sep 2010 00:55:35 +1000
On Mon, 20 Sep 2010, Bastian Blank <waldi@debian.org> wrote:
> > > No, it does not. The code to create devices in libxc was removed.
> > 
> > What is libxc?
> 
> The core xen library interface. It used to create devices on its own.
> Please check if there is still a mknod permission for Xen related parts
> in the selinux policy.

There is still mknod.  Not sure if it's needed though, I'll have to check.

> > The kernel creates the device node /dev/xen/evtchn, the creation process
> > bypasses even the kernel auditing layer because it's in the kernel.
> > http://marc.info/?t=128295019200002&r=1&w=2
> > The above URL has a link to some of the discussion of this issue by Red
> > Hat people.  They are working on a nicer solution, but we can't do that
> > for Squeeze.
> 
> My interpretation is: udev needs to change the context for already
> existing files the same way it does with the DAC permissions. udev
> _still_ gets it hands on the devices, otherwise all the permissions
> would be wrong.

Device nodes that existed prior to udev starting are correctly labeled.  It's 
the ones that appear unexpectedly that cause this problem.

> > > > But for Squeeze it would be good if this could get included.  It's
> > > > one line of shell code that results in nothing being done if
> > > > policycoreutils is not installed.  I can't imagine any way that such
> > > > a change could break anything.
> > > 
> > > You want do change a undefined number of packages?
> > 
> > I want to change every package that has a confined daemon which has a
> > startup script that loads a kernel module which creates a devtmpfs node
> > rather than just allowing udev to do it.
> 
> If selinux can't cope with devtmpfs, don't use it.

How do I not use devtmpfs?

> > I don't think that will be many packages.
> 
> As you don't seem to know that, please discuss that under
> mass-bugfilling rules. Also yoo have to discuss that with the release
> team, we are in deep freeze right now.

Having done a reasonable amount of testing and not discovered any other such 
packages and having not seen any reference to the same problem in other 
packages by the Red Hat people it seems unlikely that there will be many bug 
reports needed.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 15:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 15:21:05 GMT) Full text and rfc822 format available.

Message #32 received at 597403@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: Russell Coker <russell@coker.com.au>
Cc: 597403@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Sun, 19 Sep 2010 17:17:40 +0200
tags 597403 wontfix
thanks

On Mon, Sep 20, 2010 at 12:55:35AM +1000, Russell Coker wrote:
> On Mon, 20 Sep 2010, Bastian Blank <waldi@debian.org> wrote:
> > Please check if there is still a mknod permission for Xen related parts
> > in the selinux policy.
> There is still mknod.  Not sure if it's needed though, I'll have to check.

At least not from anything in Squeeze.

> > My interpretation is: udev needs to change the context for already
> > existing files the same way it does with the DAC permissions. udev
> > _still_ gets it hands on the devices, otherwise all the permissions
> > would be wrong.
> Device nodes that existed prior to udev starting are correctly labeled.  It's 
> the ones that appear unexpectedly that cause this problem.

Kay acknowledged this as a bug in udev. See the referenced thread for a
patch.

> > If selinux can't cope with devtmpfs, don't use it.
> How do I not use devtmpfs?

Ask udev/initramfs-tools not to use.

> > As you don't seem to know that, please discuss that under
> > mass-bugfilling rules. Also yoo have to discuss that with the release
> > team, we are in deep freeze right now.
> Having done a reasonable amount of testing and not discovered any other such 
> packages and having not seen any reference to the same problem in other 
> packages by the Red Hat people it seems unlikely that there will be many bug 
> reports needed.

Sorry, I have to decline before you did that. The change proposed by you
invalidates parts of the udev behaviour.

Bastian

-- 
Extreme feminine beauty is always disturbing.
		-- Spock, "The Cloud Minders", stardate 5818.4




Added tag(s) wontfix. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Sun, 19 Sep 2010 15:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#597403; Package xen-utils-common. (Sun, 19 Sep 2010 21:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. (Sun, 19 Sep 2010 21:15:03 GMT) Full text and rfc822 format available.

Message #39 received at 597403@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Bastian Blank <waldi@debian.org>
Cc: 597403@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Mon, 20 Sep 2010 07:12:04 +1000
On Mon, 20 Sep 2010, Bastian Blank <waldi@debian.org> wrote:
> Sorry, I have to decline before you did that. The change proposed by you
> invalidates parts of the udev behaviour.

deb http://www.coker.com.au squeeze selinux

OK, I've fixed this in my SE Linux repository with the above APT line.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. (Sat, 14 Apr 2012 17:03:42 GMT) Full text and rfc822 format available.

Notification sent to russell@coker.com.au:
Bug acknowledged by developer. (Sat, 14 Apr 2012 17:03:42 GMT) Full text and rfc822 format available.

Message #44 received at 597403-done@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 597403-done@bugs.debian.org
Subject: Re: [Pkg-xen-devel] Bug#597403: Bug#597403: Bug#597403: xen-utils-common: need to run restorecon in /etc/init.d/xend on SE Linux systems
Date: Sat, 14 Apr 2012 18:59:50 +0200
On Sun, Sep 19, 2010 at 05:17:40PM +0200, Bastian Blank wrote:
> Kay acknowledged this as a bug in udev. See the referenced thread for a
> patch.

No further information and bug in udev. Closing.

Bastian

-- 
War isn't a good life, but it's life.
		-- Kirk, "A Private Little War", stardate 4211.8




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 May 2012 07:32:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:54:57 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.