[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Ovirt-devel] [PATCH node-image] enable SELinux in the node



Jim Meyering wrote:
Here are 5 change sets.

The first enables SELinux in the node.
However, the resulting .iso image size went up to 72M.
The following 4 patches pare that back down to 51M, which is 1M below
the original size of 52M.

Found a problem with iSCSI storage pools via libvirt with selinux turned on.

The pool can be created but when you try to access it the following shows up in /var/log/messages:

type=1400 audit(1221978037.915:24): avc:  denied  { getattr } for  pid=2597 comm="qemu-kvm" path="/dev/sdd" dev=tmpfs ino=9171 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=1400 audit(1221978037.915:25): avc:  denied  { read } for  pid=2597 comm="qemu-kvm" name="sdd" dev=tmpfs ino=9171 scontext=system_u:system_r:qemu_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file

Looks like selinux is prohibiting access for qemu to the block devices. Not sure how to fix this. Dan or Jim you guys have any suggestions?

NFS disk image access is not affected by this since that is just access to an img file provided over an nfs mount.

Perry


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]