On Wed, Jan 31, 2007 at 03:39:08PM -0500, Bill Davidsen wrote:
K T Ligesh wrote:
On Wed, Jan 31, 2007 at 01:40:58PM -0500, Bill Davidsen wrote:
And at some point will xen and selinux be compatible? I have everything in the "right" place, but it still doesn't work.
Forget selinux. Just disable it. I mean, you think of security only after the bleeding stops, your wounds have healed. (The bleeding that comes from banging your head on the keyboard in frustration). Since this is xen only mailinglist, I think we can talk about the situation with selinux disabled.
I bet you have the same eye-level bloody dent in your wall that I do ;-)
Anyway, won't a setenforce 0, completely disable the damn thing? At least it says so as the output of the command.
That's true, but I regard "turn off security" in the same light as "run setuid root so you bypass all that permissions stuff." And at least some of the places I could use this require selinux. setenforce doesn't disable it, just sets it advisory, which means it still fails and tells you there's no such file as <whatever> when there is, just where it should be. Daniel keeps telling me it works for him, so it's some failure of understanding.
If you see 'AVC' denial messages in /var/log/messages or /var/log/audit/audit.log when creating your Xen guest, do file them in BugZilla against Xen. If it does turn out to be a SELinux policy problem, we can usually get very fast turn around on policy updates, because as you say - being able to run with SELinux enabled is a very valuable security measure.
Regards, Dan.