[Fedora-xen] SELinux HVM unfriendly?
Robert Thiem
junk at remcc.org
Mon Nov 20 14:38:42 UTC 2006
> In FC6 GA you had to make sure the file for the disk was under /xen
> to be labelled correctly. In rawhide (and I think latest FC6 policy)
> we're moving to /var/lib/xen/images. To see what the required dir is
> run
> semanage context -l | grep xen_image_t
> You can also define new locations any time you like using semanage,
> eg
> semanage fcontext -a -f "" -t xen_image_t '/some/directory(/.*)?'
I had a look at that when I first came across the problem and found it
mentioned on the list archives.
AFAIK that's fine. All the images come up with the
system_u:object_r:xen_image_t context when I do an ls -Z.
"semanage fcontext -l | grep xen_image_t" yields the expected
/extra/xen(/.*)?all files system_u:object_r:xen_image_t:s0
along with "/xen(/.*)?" and the new "/var/lib/xen/images(/.*)?"
What when SELinux is enforcing all I get is:
avc: denied { search } for pid=3662 comm="python" name="/" dev=sda8
ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir [sda8 is my /extra
partition]
When it's permissive then I see:
"ifconfig" being denied write to the cdrom devices
qemu-dm denied access to dsp
If I have it set in SDL I also getqemu-dm denies on various things that
seem to be related to bringing up the display window (.xauth* files, xdm
temp folders, ".X11-unix" and "tmp" dirs, "X0" socket, ".xauthBLAHBLAH").
More information about the Fedora-xen
mailing list