David Caplan wrote: > >> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote: >>> Stephen Smalley wrote: >>>> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: >>>>> Stephen Smalley wrote: >>>>>> The assertion is to prevent accidental granting of read >> access to >>>>>> a raw disk device. Is that truly required here? >>>>> Probably - the root disk of the guest O/S instance is an lvm >>>>> partition, e.g. /dev/vg01/lv_guest >>>>> >>>>>> To allow it, you need to use the interface for it, e.g. >>>>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in >>>>>> kernel/storage.if. In addition to allowing the >> permission, it adds >>>>>> a type attribute to the type that excludes from the assertion. > > It seems like you'd want to consider a specific xen label for your guest > partitions. You probably don't want to give xm_t access to all of the > disks/partitions. Generally when you violate assertions you're probably > allowing access you don't want (or should at least think hard about). Of > course that will be a little more involved and it's probably better to > get things working first with the storage_raw_read_fixed_disk() > interface. I have a lot to learn about SELinux. I've been managing to make things work by creating local policies, but I've always had in my mind the thought that there must be other/better ways to do it. > I've had no luck with getting xen even to boot correctly (using the same > versions you listed on FC5). It always hangs when it checks the hardware > on boot and if I skip that step with an interactive boot my system gets > corrupted. I'm using a vanilla Dell hardware base (works fine with the > standard FC5 kernel install). Did you have any problems getting the > initial system set up? I have tried installing and booting in permissive > mode with the same results. I had no problems at all apart from the SELinux stuff. Here's what I did: - FC5 kickstart install. - yum update - installed kernel-xen0 + rebooted - created lv for guest domain - installed guest domain using this command line: xenguest-install.py --name=guest --file=/dev/vg01/lv_guest_vm --ram=512 --location=http://mirrors.kernel.org/fedora/core/5/i386/os/ --extra-args="ip=192.168.23.228 netmask=255.255.255.248 gateway=192.168.23.225 dns=192.168.2.203,192.168.2.204 ks=http://example.com/kickstart/ks_guest.cfg"; - copied xendomains script from Redhat somewhere (see my first post in this thread). R. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
