Re: [Fedora-xen] SELinux HVM unfriendly?

["Robert Thiem" <junk remcc org>]

> In FC6 GA you had to make sure the file for the disk was under /xen
> to be labelled correctly. In rawhide (and I think latest FC6 policy)
> we're moving to /var/lib/xen/images. To see what the required dir is
> run
>   semanage context -l | grep xen_image_t
> You can also define new locations any time you like using semanage,
>  eg
>    semanage fcontext -a -f "" -t xen_image_t '/some/directory(/.*)?'

I had a look at that when I first came across the problem and found it
mentioned on the list archives.

AFAIK that's fine. All the images come up with the
system_u:object_r:xen_image_t context when I do an ls -Z.

"semanage fcontext -l | grep xen_image_t" yields the expected
/extra/xen(/.*)?all files system_u:object_r:xen_image_t:s0
along with "/xen(/.*)?" and the new "/var/lib/xen/images(/.*)?"

What when SELinux is enforcing all I get is:
avc:  denied  { search } for  pid=3662 comm="python" name="/" dev=sda8
ino=2 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=dir [sda8 is my /extra
partition]

When it's permissive then I see:
"ifconfig" being denied write to the cdrom devices
qemu-dm denied access to dsp

If I have it set in SDL I also getqemu-dm denies on various things that
seem to be related to bringing up the display window (.xauth* files, xdm
temp folders, ".X11-unix" and "tmp" dirs, "X0" socket, ".xauthBLAHBLAH").