On Wed, Jan 31, 2007 at 03:39:08PM -0500, Bill Davidsen wrote: > K T Ligesh wrote: > >On Wed, Jan 31, 2007 at 01:40:58PM -0500, Bill Davidsen wrote: > > > >>And at some point will xen and selinux be compatible? I have everything > >>in the "right" place, but it still doesn't work. > >> > >> > > > > Forget selinux. Just disable it. I mean, you think of security only after > > the bleeding stops, your wounds have healed. (The bleeding that comes > > from banging your head on the keyboard in frustration). Since this is xen > > only mailinglist, I think we can talk about the situation with selinux > > disabled. > I bet you have the same eye-level bloody dent in your wall that I do ;-) > > Anyway, won't a setenforce 0, completely disable the damn thing? At least > > it says so as the output of the command. > > That's true, but I regard "turn off security" in the same light as "run > setuid root so you bypass all that permissions stuff." And at least some > of the places I could use this require selinux. setenforce doesn't > disable it, just sets it advisory, which means it still fails and tells > you there's no such file as <whatever> when there is, just where it > should be. Daniel keeps telling me it works for him, so it's some > failure of understanding. If you see 'AVC' denial messages in /var/log/messages or /var/log/audit/audit.log when creating your Xen guest, do file them in BugZilla against Xen. If it does turn out to be a SELinux policy problem, we can usually get very fast turn around on policy updates, because as you say - being able to run with SELinux enabled is a very valuable security measure. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| -- Fedora-xen mailing list Fedora-xen@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-xen
