> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote: > > Stephen Smalley wrote: > > > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: > > >> Stephen Smalley wrote: > > >>> The assertion is to prevent accidental granting of read > access to > > >>> a raw disk device. Is that truly required here? > > >> Probably - the root disk of the guest O/S instance is an lvm > > >> partition, e.g. /dev/vg01/lv_guest > > >> > > >>> To allow it, you need to use the interface for it, e.g. > > >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in > > >>> kernel/storage.if. In addition to allowing the > permission, it adds > > >>> a type attribute to the type that excludes from the assertion. It seems like you'd want to consider a specific xen label for your guest partitions. You probably don't want to give xm_t access to all of the disks/partitions. Generally when you violate assertions you're probably allowing access you don't want (or should at least think hard about). Of course that will be a little more involved and it's probably better to get things working first with the storage_raw_read_fixed_disk() interface. I've had no luck with getting xen even to boot correctly (using the same versions you listed on FC5). It always hangs when it checks the hardware on boot and if I skip that step with an interactive boot my system gets corrupted. I'm using a vanilla Dell hardware base (works fine with the standard FC5 kernel install). Did you have any problems getting the initial system set up? I have tried installing and booting in permissive mode with the same results. David -- __________________________________ David Caplan dac@xxxxxxxxxx Tresys Technology, LLC -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
