Hi,
I'm trying to get xen working on FC5 with SELinux enabled.
# rpm -q kernel-xen0 xen selinux-policy
kernel-xen0-2.6.17-1.2187_FC5
xen-3.0.2-3.FC5
selinux-policy-2.3.7-2.fc5
I'm doing it by running stuff and seeing what AVC msgs I get and
creating a custom module to allow them.
e.g, I run this command:
audit2allow -M local -l -i /var/log/audit/audit.log
Then merge any new entries from local.te into xen.te and rebuild the module:
export SEAPP=xen
checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
semodule -i ${SEAPP}.pp
This seems to be working fine - I have FC5 installed as a host, with a
guest install of FC5 running as a guest. The "snapshot" capability also
works (xm save ...).
This is the module I'm using:
module local 1.0;
require {
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
My question is: is this the right approach to getting xen (or any app)
working under selinux? Or is there an easier way? Am I opening up any
major security holes doing this?
On other problem I've noticed is that the xendomains init script didn't
start the domains at boot, or from the command-line. I've copied the new
one from
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075
but I was seeing this error:
# service xendomains start
Starting auto Xen domains:Error: Disk isn't accessible
This is the context of that file:
-rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains
I copied xendomains to xendomains.new so it has this context:
-rwxr-xr-x root root root:object_r:etc_t xendomains.new
And the script now works.
Again, is this the (or a) correct fix? Any security problems with this?
Thanks,
R.