xen, selinux, FC5

Stephen Smalley sds at tycho.nsa.gov
Fri Oct 13 15:58:10 UTC 2006 

On Fri, 2006-10-13 at 16:48 +0100, Robin Bowes wrote:
> Robin Bowes wrote:
> > On other problem I've noticed is that the xendomains init script didn't
> > start the domains at boot, or from the command-line. I've copied the new
> > one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075
> > but I was seeing this error:
> > 
> > # service xendomains start
> > Starting auto Xen domains:Error: Disk isn't accessible
> > 
> > This is the context of that file:
> > 
> > -rwxr-xr-x  root root system_u:object_r:initrc_exec_t  xendomains
> > 
> > I copied xendomains to xendomains.new so it has this context:
> > 
> > -rwxr-xr-x  root root root:object_r:etc_t              xendomains.new
> > 
> > And the script now works.
> > 
> > Again, is this the (or a) correct fix? Any security problems with this?
> 
> Hmmm. xendomains is not starting the guest instances at reboot.
> 
> I see this error in send.log:
> 
> [2006-10-13 16:34:28 xend] ERROR (XendBootloader:36) Disk isn't accessible
> 
> I also get new AVC msgs:
> 
> allow xm_t fixed_disk_device_t:blk_file read;
> 
> When I add this to the policy file, i.e.:
> 
> class blk_file read;
> type fixed_disk_device_t;
> type xm_t;
> allow xm_t fixed_disk_device_t:blk_file read;
> 
> I get this error when loading the compiled policy:
> 
> # semodule -i $xen.pp
> libsepol.check_assertion_helper: assertion on line 0 violated by allow
> xm_t fixed_disk_device_t:blk_file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> semodule:  Failed!
> 
> Any suggestions as to how to fix this?

The assertion is to prevent accidental granting of read access to a raw
disk device.  Is that truly required here?  To allow it, you need to use
the interface for it, e.g.
	storage_raw_read_fixed_disk(xm_t)
That interface is defined in kernel/storage.if.
In addition to allowing the permission, it adds a type attribute to the
type that excludes from the assertion.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list