David Caplan wrote:
On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
Stephen Smalley wrote:
On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
Stephen Smalley wrote:
The assertion is to prevent accidental granting of read
access to
a raw disk device. Is that truly required here?
Probably - the root disk of the guest O/S instance is an lvm partition, e.g. /dev/vg01/lv_guest
To allow it, you need to use the interface for it, e.g. storage_raw_read_fixed_disk(xm_t) That interface is defined in kernel/storage.if. In addition to allowing the
permission, it adds
a type attribute to the type that excludes from the assertion.
It seems like you'd want to consider a specific xen label for your guest partitions. You probably don't want to give xm_t access to all of the disks/partitions. Generally when you violate assertions you're probably allowing access you don't want (or should at least think hard about). Of course that will be a little more involved and it's probably better to get things working first with the storage_raw_read_fixed_disk() interface.
I have a lot to learn about SELinux. I've been managing to make things work by creating local policies, but I've always had in my mind the thought that there must be other/better ways to do it.
I've had no luck with getting xen even to boot correctly (using the same versions you listed on FC5). It always hangs when it checks the hardware on boot and if I skip that step with an interactive boot my system gets corrupted. I'm using a vanilla Dell hardware base (works fine with the standard FC5 kernel install). Did you have any problems getting the initial system set up? I have tried installing and booting in permissive mode with the same results.
I had no problems at all apart from the SELinux stuff.
Here's what I did:
- FC5 kickstart install. - yum update - installed kernel-xen0 + rebooted - created lv for guest domain - installed guest domain using this command line:
xenguest-install.py --name=guest --file=/dev/vg01/lv_guest_vm --ram=512 --location=http://mirrors.kernel.org/fedora/core/5/i386/os/ --extra-args="ip=192.168.23.228 netmask=255.255.255.248 gateway=192.168.23.225 dns=192.168.2.203,192.168.2.204 ks=http://example.com/kickstart/ks_guest.cfg"
- copied xendomains script from Redhat somewhere (see my first post in this thread).
R.