xen, selinux, FC5

David Caplan dac at tresys.com
Fri Oct 13 20:15:48 UTC 2006


 

> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
> > Stephen Smalley wrote:
> > > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
> > >> Stephen Smalley wrote:
> > >>> The assertion is to prevent accidental granting of read 
> access to 
> > >>> a raw disk device.  Is that truly required here?
> > >> Probably - the root disk of the guest O/S instance is an lvm 
> > >> partition, e.g. /dev/vg01/lv_guest
> > >>
> > >>> To allow it, you need to use the interface for it, e.g. 
> > >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in 
> > >>> kernel/storage.if. In addition to allowing the 
> permission, it adds 
> > >>> a type attribute to the type that excludes from the assertion.

It seems like you'd want to consider a specific xen label for your guest
partitions. You probably don't want to give xm_t access to all of the
disks/partitions. Generally when you violate assertions you're probably
allowing access you don't want (or should at least think hard about). Of
course that will be a little more involved and it's probably better to
get things working first with the storage_raw_read_fixed_disk()
interface.

I've had no luck with getting xen even to boot correctly (using the same
versions you listed on FC5). It always hangs when it checks the hardware
on boot and if I skip that step with an interactive boot my system gets
corrupted. I'm using a vanilla Dell hardware base (works fine with the
standard FC5 kernel install). Did you have any problems getting the
initial system set up? I have tried installing and booting in permissive
mode with the same results.

David
--
__________________________________

David Caplan    
dac at tresys.com
Tresys Technology, LLC
 




More information about the fedora-selinux-list mailing list