avc denied gone after reboot

Steve Brueckner steve at atc-nycorp.com
Fri Jan 27 16:29:40 UTC 2006


I'm creating an SELinux-enabled Xen VM on FC4.  I create the file system for
the VM by copying the filesystem from the underlying host.  For the very
first boot of the VM, I have it /.auotrelabel.  However, when I then try to
install an rpm inside the VM I get an avc denied, even though I can install
the same rpm on the underlying host just fine.  Even stranger, if I reboot
the VM once, I then have no problem installing the rpm inside of it.

So there are two oddities:
1 - why does the rpm install fine on the host but not in the VM that clones
the host's file system?
2 - why does the rpm install correctly after a reboot, but not after the
initial boot?

Aside from upgrading my policy, how can I track down the problem here?



Here are some details:

# rpm -ivh jre:
error: unpacking of archive failed on file /usr/java/jre1.5.0_01/CHANGES:
cpio: lsetfilecon failed - Permission denied

/var/log/audit/audit.log:
type=AVC msg=audit(1138316170.719:32): avc:  denied  { relabelto } for
pid=1706 comm="rpm" name="CHANGES" dev=hda1 ino=16578
scontext=root:system_r:kernel_t tcontext=system_u:object_r:usr_t tclass=file

# rpm -qa | grep selinux:
libselinux-devel-1.23.10-2
libselinux-1.23.10-2
selinux-policy-targeted-sources-1.27.1-2.16
selinux-policy-targeted-1.27.1-2.16

I haven't altered the policy sources (yet).
Both host and VM are in enforcing mode.


Thanks,

 - Steve

Stephen Brueckner, ATC-NY




More information about the selinux mailing list