David Caplan wrote:
> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
>>>> Stephen Smalley wrote:
>>>>> The assertion is to prevent accidental granting of read
> access to
>>>>> a raw disk device. Is that truly required here?
>>>> Probably - the root disk of the guest O/S instance is an lvm
>>>> partition, e.g. /dev/vg01/lv_guest
>>>>
>>>>> To allow it, you need to use the interface for it, e.g.
>>>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
>>>>> kernel/storage.if. In addition to allowing the
> permission, it adds
>>>>> a type attribute to the type that excludes from the assertion.
It seems like you'd want to consider a specific xen label for your guest
partitions. You probably don't want to give xm_t access to all of the
disks/partitions. Generally when you violate assertions you're probably
allowing access you don't want (or should at least think hard about). Of
course that will be a little more involved and it's probably better to
get things working first with the storage_raw_read_fixed_disk()
interface.
I have a lot to learn about SELinux. I've been managing to make things
work by creating local policies, but I've always had in my mind the
thought that there must be other/better ways to do it.
I've had no luck with getting xen even to boot correctly (using
the same
versions you listed on FC5). It always hangs when it checks the hardware
on boot and if I skip that step with an interactive boot my system gets
corrupted. I'm using a vanilla Dell hardware base (works fine with the
standard FC5 kernel install). Did you have any problems getting the
initial system set up? I have tried installing and booting in permissive
mode with the same results.
I had no problems at all apart from the SELinux stuff.
Here's what I did:
- FC5 kickstart install.
- yum update
- installed kernel-xen0 + rebooted
- created lv for guest domain
- installed guest domain using this command line:
xenguest-install.py --name=guest --file=/dev/vg01/lv_guest_vm --ram=512
--location=http://mirrors.kernel.org/fedora/core/5/i386/os/
--extra-args="ip=192.168.23.228 netmask=255.255.255.248
gateway=192.168.23.225 dns=192.168.2.203,192.168.2.204
ks=http://example.com/kickstart/ks_guest.cfg"
- copied xendomains script from Redhat somewhere (see my first post in
this thread).
R.