xen, selinux, FC5

Robin Bowes robin-lists at robinbowes.com
Fri Oct 13 21:32:39 UTC 2006 

David Caplan wrote:
> 
>> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
>>> Stephen Smalley wrote:
>>>> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
>>>>> Stephen Smalley wrote:
>>>>>> The assertion is to prevent accidental granting of read 
>> access to 
>>>>>> a raw disk device.  Is that truly required here?
>>>>> Probably - the root disk of the guest O/S instance is an lvm 
>>>>> partition, e.g. /dev/vg01/lv_guest
>>>>>
>>>>>> To allow it, you need to use the interface for it, e.g. 
>>>>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in 
>>>>>> kernel/storage.if. In addition to allowing the 
>> permission, it adds 
>>>>>> a type attribute to the type that excludes from the assertion.
> 
> It seems like you'd want to consider a specific xen label for your guest
> partitions. You probably don't want to give xm_t access to all of the
> disks/partitions. Generally when you violate assertions you're probably
> allowing access you don't want (or should at least think hard about). Of
> course that will be a little more involved and it's probably better to
> get things working first with the storage_raw_read_fixed_disk()
> interface.

I have a lot to learn about SELinux. I've been managing to make things
work by creating local policies, but I've always had in my mind the
thought that there must be other/better ways to do it.

> I've had no luck with getting xen even to boot correctly (using the same
> versions you listed on FC5). It always hangs when it checks the hardware
> on boot and if I skip that step with an interactive boot my system gets
> corrupted. I'm using a vanilla Dell hardware base (works fine with the
> standard FC5 kernel install). Did you have any problems getting the
> initial system set up? I have tried installing and booting in permissive
> mode with the same results.

I had no problems at all apart from the SELinux stuff.

Here's what I did:

 - FC5 kickstart install.
 - yum update
 - installed kernel-xen0 + rebooted
 - created lv for guest domain
 - installed guest domain using this command line:

xenguest-install.py --name=guest --file=/dev/vg01/lv_guest_vm --ram=512
--location=http://mirrors.kernel.org/fedora/core/5/i386/os/
--extra-args="ip=192.168.23.228 netmask=255.255.255.248
gateway=192.168.23.225 dns=192.168.2.203,192.168.2.204
ks=http://example.com/kickstart/ks_guest.cfg"

 - copied xendomains script from Redhat somewhere (see my first post in
this thread).

R.

More information about the fedora-selinux-list mailing list