xen, selinux, FC5

Hi, I'm trying to get xen working on FC5 with SELinux enabled. # rpm -q kernel-xen0 xen selinux-policy kernel-xen0-2.6.17-1.2187_FC5 xen-3.0.2-3.FC5 selinux-policy-2.3.7-2.fc5 I'm doing it by running stuff and seeing what AVC msgs I get and creating a custom module to allow them. e.g, I run this command: audit2allow -M local -l -i /var/log/audit/audit.log Then merge any new entries from local.te into xen.te and rebuild the module: export SEAPP=xen checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod semodule -i ${SEAPP}.pp This seems to be working fine - I have FC5 installed as a host, with a guest install of FC5 running as a guest. The "snapshot" capability also works (xm save ...). This is the module I'm using: module local 1.0; require { class chr_file { read write }; class dir { add_name create search setattr write }; class fd use; class file { append create read write }; class unix_stream_socket { read write }; type home_root_t; type ifconfig_t; type local_login_t; type netutils_t; type proc_xen_t; type tmp_t; type tty_device_t; type user_home_dir_t; type user_home_t; type var_log_t; type var_run_t; type xend_t; type xend_var_log_t; role system_r; }; allow ifconfig_t var_log_t:file append; allow netutils_t proc_xen_t:file { read write }; allow netutils_t xend_t:unix_stream_socket { read write }; allow netutils_t xend_var_log_t:file { append write }; allow xend_t home_root_t:dir { search write }; allow xend_t local_login_t:fd use; allow xend_t tmp_t:dir search; allow xend_t tty_device_t:chr_file { read write }; allow xend_t user_home_dir_t:dir { search write }; allow xend_t user_home_t:dir { add_name search write }; allow xend_t user_home_t:file { create write }; allow xend_t var_run_t:dir { create setattr }; My question is: is this the right approach to getting xen (or any app) working under selinux? Or is there an easier way? Am I opening up any major security holes doing this? On other problem I've noticed is that the xendomains init script didn't start the domains at boot, or from the command-line. I've copied the new one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075 but I was seeing this error: # service xendomains start Starting auto Xen domains:Error: Disk isn't accessible This is the context of that file: -rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains I copied xendomains to xendomains.new so it has this context: -rwxr-xr-x root root root:object_r:etc_t xendomains.new And the script now works. Again, is this the (or a) correct fix? Any security problems with this? Thanks, R.