xen, selinux, FC5

Robin Bowes robin-lists at robinbowes.com
Fri Oct 13 15:19:00 UTC 2006 

Hi,

I'm trying to get xen working on FC5 with SELinux enabled.

# rpm -q kernel-xen0 xen selinux-policy
kernel-xen0-2.6.17-1.2187_FC5
xen-3.0.2-3.FC5
selinux-policy-2.3.7-2.fc5

I'm doing it by running stuff and seeing what AVC msgs I get and
creating a custom module to allow them.

e.g, I run this command:

audit2allow -M local -l -i /var/log/audit/audit.log

Then merge any new entries from local.te into xen.te and rebuild the module:

export SEAPP=xen
checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
semodule -i ${SEAPP}.pp

This seems to be working fine - I have FC5 installed as a host, with a
guest install of FC5 running as a guest. The "snapshot" capability also
works (xm save ...).

This is the module I'm using:

module local 1.0;

require {
        class chr_file { read write };
        class dir { add_name create search setattr write };
        class fd use;
        class file { append create read write };
        class unix_stream_socket { read write };
        type home_root_t;
        type ifconfig_t;
        type local_login_t;
        type netutils_t;
        type proc_xen_t;
        type tmp_t;
        type tty_device_t;
        type user_home_dir_t;
        type user_home_t;
        type var_log_t;
        type var_run_t;
        type xend_t;
        type xend_var_log_t;
        role system_r;
};

allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };


My question is: is this the right approach to getting xen (or any app)
working under selinux? Or is there an easier way? Am I opening up any
major security holes doing this?

On other problem I've noticed is that the xendomains init script didn't
start the domains at boot, or from the command-line. I've copied the new
one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075
but I was seeing this error:

# service xendomains start
Starting auto Xen domains:Error: Disk isn't accessible

This is the context of that file:

-rwxr-xr-x  root root system_u:object_r:initrc_exec_t  xendomains

I copied xendomains to xendomains.new so it has this context:

-rwxr-xr-x  root root root:object_r:etc_t              xendomains.new

And the script now works.

Again, is this the (or a) correct fix? Any security problems with this?

Thanks,

R.

More information about the fedora-selinux-list mailing list