xen, selinux, FC5
David Caplan
dac at tresys.com
Fri Oct 13 20:15:48 UTC 2006
> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
> > Stephen Smalley wrote:
> > > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
> > >> Stephen Smalley wrote:
> > >>> The assertion is to prevent accidental granting of read
> access to
> > >>> a raw disk device. Is that truly required here?
> > >> Probably - the root disk of the guest O/S instance is an lvm
> > >> partition, e.g. /dev/vg01/lv_guest
> > >>
> > >>> To allow it, you need to use the interface for it, e.g.
> > >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
> > >>> kernel/storage.if. In addition to allowing the
> permission, it adds
> > >>> a type attribute to the type that excludes from the assertion.
It seems like you'd want to consider a specific xen label for your guest
partitions. You probably don't want to give xm_t access to all of the
disks/partitions. Generally when you violate assertions you're probably
allowing access you don't want (or should at least think hard about). Of
course that will be a little more involved and it's probably better to
get things working first with the storage_raw_read_fixed_disk()
interface.
I've had no luck with getting xen even to boot correctly (using the same
versions you listed on FC5). It always hangs when it checks the hardware
on boot and if I skip that step with an interactive boot my system gets
corrupted. I'm using a vanilla Dell hardware base (works fine with the
standard FC5 kernel install). Did you have any problems getting the
initial system set up? I have tried installing and booting in permissive
mode with the same results.
David
--
__________________________________
David Caplan
dac at tresys.com
Tresys Technology, LLC
More information about the fedora-selinux-list
mailing list