10:19 a.m.
Hi,
I'm trying to get xen working on FC5 with SELinux enabled.
# rpm -q kernel-xen0 xen selinux-policy
kernel-xen0-2.6.17-1.2187_FC5
xen-3.0.2-3.FC5
selinux-policy-2.3.7-2.fc5
I'm doing it by running stuff and seeing what AVC msgs I get and
creating a custom module to allow them.
e.g, I run this command:
audit2allow -M local -l -i /var/log/audit/audit.log
Then merge any new entries from local.te into xen.te and rebuild the module:
export SEAPP=xen
checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
semodule -i ${SEAPP}.pp
This seems to be working fine - I have FC5 installed as a host, with a
guest install of FC5 running as a guest. The "snapshot" capability also
works (xm save ...).
This is the module I'm using:
module local 1.0;
require {
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
My question is: is this the right approach to getting xen (or any app)
working under selinux? Or is there an easier way? Am I opening up any
major security holes doing this?
On other problem I've noticed is that the xendomains init script didn't
start the domains at boot, or from the command-line. I've copied the new
one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075
but I was seeing this error:
# service xendomains start
Starting auto Xen domains:Error: Disk isn't accessible
This is the context of that file:
-rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains
I copied xendomains to xendomains.new so it has this context:
-rwxr-xr-x root root root:object_r:etc_t xendomains.new
And the script now works.
Again, is this the (or a) correct fix? Any security problems with this?
Thanks,
R.
10:48 a.m.
Robin Bowes wrote:
On other problem I've noticed is that the xendomains init script
didn't
start the domains at boot, or from the command-line. I've copied the new
one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075
but I was seeing this error:
# service xendomains start
Starting auto Xen domains:Error: Disk isn't accessible
This is the context of that file:
-rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains
I copied xendomains to xendomains.new so it has this context:
-rwxr-xr-x root root root:object_r:etc_t xendomains.new
And the script now works.
Again, is this the (or a) correct fix? Any security problems with this?
Hmmm. xendomains is not starting the guest instances at reboot.
I see this error in send.log:
[2006-10-13 16:34:28 xend] ERROR (XendBootloader:36) Disk isn't accessible
I also get new AVC msgs:
allow xm_t fixed_disk_device_t:blk_file read;
When I add this to the policy file, i.e.:
class blk_file read;
type fixed_disk_device_t;
type xm_t;
allow xm_t fixed_disk_device_t:blk_file read;
I get this error when loading the compiled policy:
# semodule -i $xen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
xm_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
Any suggestions as to how to fix this?
Thanks,
R.
10:58 a.m.
On Fri, 2006-10-13 at 16:48 +0100, Robin Bowes wrote:
Robin Bowes wrote:
> On other problem I've noticed is that the xendomains init script didn't
> start the domains at boot, or from the command-line. I've copied the new
> one from https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=120075
> but I was seeing this error:
>
> # service xendomains start
> Starting auto Xen domains:Error: Disk isn't accessible
>
> This is the context of that file:
>
> -rwxr-xr-x root root system_u:object_r:initrc_exec_t xendomains
>
> I copied xendomains to xendomains.new so it has this context:
>
> -rwxr-xr-x root root root:object_r:etc_t xendomains.new
>
> And the script now works.
>
> Again, is this the (or a) correct fix? Any security problems with this?
Hmmm. xendomains is not starting the guest instances at reboot.
I see this error in send.log:
[2006-10-13 16:34:28 xend] ERROR (XendBootloader:36) Disk isn't accessible
I also get new AVC msgs:
allow xm_t fixed_disk_device_t:blk_file read;
When I add this to the policy file, i.e.:
class blk_file read;
type fixed_disk_device_t;
type xm_t;
allow xm_t fixed_disk_device_t:blk_file read;
I get this error when loading the compiled policy:
# semodule -i $xen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
xm_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
Any suggestions as to how to fix this?
The assertion is to prevent accidental granting of read access to a raw
disk device. Is that truly required here? To allow it, you need to use
the interface for it, e.g.
storage_raw_read_fixed_disk(xm_t)
That interface is defined in kernel/storage.if.
In addition to allowing the permission, it adds a type attribute to the
type that excludes from the assertion.
--
Stephen Smalley
National Security Agency
11:12 a.m.
Stephen Smalley wrote:
The assertion is to prevent accidental granting of read access to a
raw disk device. Is that truly required here?
Probably - the root disk of the guest O/S instance is an lvm partition,
e.g. /dev/vg01/lv_guest
To allow it, you need to use the interface for it, e.g.
storage_raw_read_fixed_disk(xm_t) That interface is defined in
kernel/storage.if. In addition to allowing the permission, it adds a
type attribute to the type that excludes from the assertion.
So, what would that look like in the policy file?
Thanks,
R.
11:20 a.m.
On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
Stephen Smalley wrote:
>
> The assertion is to prevent accidental granting of read access to a
> raw disk device. Is that truly required here?
Probably - the root disk of the guest O/S instance is an lvm partition,
e.g. /dev/vg01/lv_guest
> To allow it, you need to use the interface for it, e.g.
> storage_raw_read_fixed_disk(xm_t) That interface is defined in
> kernel/storage.if. In addition to allowing the permission, it adds a
> type attribute to the type that excludes from the assertion.
So, what would that look like in the policy file?
If you build using the devel makefile (e.g. make
-f /usr/share/selinux/devel/Makefile or copy it over to where you are
working on your module), then you can use the interface as I described,
i.e. just put
storage_raw_read_fixed_disk(xm_t)
in your .te file.
That Makefile will pull in the headers and expand it properly.
Should handle the checkmodule and semodule_package side of things,
leaving you with just running semodule -i to install it once built.
--
Stephen Smalley
National Security Agency
11:25 a.m.
Stephen Smalley wrote:
On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
> Stephen Smalley wrote:
>> The assertion is to prevent accidental granting of read access to a
>> raw disk device. Is that truly required here?
> Probably - the root disk of the guest O/S instance is an lvm partition,
> e.g. /dev/vg01/lv_guest
>
>> To allow it, you need to use the interface for it, e.g.
>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
>> kernel/storage.if. In addition to allowing the permission, it adds a
>> type attribute to the type that excludes from the assertion.
> So, what would that look like in the policy file?
If you build using the devel makefile (e.g. make
-f /usr/share/selinux/devel/Makefile or copy it over to where you are
working on your module), then you can use the interface as I described,
i.e. just put
storage_raw_read_fixed_disk(xm_t)
in your .te file.
That Makefile will pull in the headers and expand it properly.
Should handle the checkmodule and semodule_package side of things,
leaving you with just running semodule -i to install it once built.
I'm actually doing this:
Use audit2allow to identify AVC denied msgs:
audit2allow -M local -l -i /var/log/audit/audit.log
Copy the contents of the local.te file produced by the command to xen.te
Compile and install the policy like this:
export SEAPP=xen
checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
semodule -i ${SEAPP}.pp
Will "storage_raw_read_fixed_disk(xm_t)" fit into the class/type/role
format used in the .te files? Or do I need to do something different?
Thanks for your help with this.
R.
11:39 a.m.
On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
Stephen Smalley wrote:
> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
>> Stephen Smalley wrote:
>>> The assertion is to prevent accidental granting of read access to a
>>> raw disk device. Is that truly required here?
>> Probably - the root disk of the guest O/S instance is an lvm partition,
>> e.g. /dev/vg01/lv_guest
>>
>>> To allow it, you need to use the interface for it, e.g.
>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
>>> kernel/storage.if. In addition to allowing the permission, it adds a
>>> type attribute to the type that excludes from the assertion.
>> So, what would that look like in the policy file?
>
> If you build using the devel makefile (e.g. make
> -f /usr/share/selinux/devel/Makefile or copy it over to where you are
> working on your module), then you can use the interface as I described,
> i.e. just put
> storage_raw_read_fixed_disk(xm_t)
> in your .te file.
>
> That Makefile will pull in the headers and expand it properly.
> Should handle the checkmodule and semodule_package side of things,
> leaving you with just running semodule -i to install it once built.
I'm actually doing this:
Use audit2allow to identify AVC denied msgs:
audit2allow -M local -l -i /var/log/audit/audit.log
Copy the contents of the local.te file produced by the command to xen.te
Compile and install the policy like this:
export SEAPP=xen
checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
semodule -i ${SEAPP}.pp
Will "storage_raw_read_fixed_disk(xm_t)" fit into the class/type/role
format used in the .te files? Or do I need to do something different?
You need to do something different if you want to use refpolicy
interfaces (which are presently m4 macros, but will eventually be first
class constructs in the language that will be handled at link time);
storage_raw_read_fixed_disk() is such an interface. The easiest thing
to do is to use the devel Makefile. Instead of manually running
checkmodule and semodule_package, you just do:
mkdir xen
cp xen.te xen/
cd xen
make -f /usr/share/selinux/devel/Makefile
The Makefile will then handle pulling in the refpolicy interface
headers, applying m4, running checkmodule on the result, and running
semodule_package, leaving you with a xen.pp file that you can install.
--
Stephen Smalley
National Security Agency
1:51 p.m.
Stephen Smalley wrote:
You need to do something different if you want to use refpolicy
interfaces (which are presently m4 macros, but will eventually be first
class constructs in the language that will be handled at link time);
storage_raw_read_fixed_disk() is such an interface. The easiest thing
to do is to use the devel Makefile. Instead of manually running
checkmodule and semodule_package, you just do:
mkdir xen
cp xen.te xen/
cd xen
make -f /usr/share/selinux/devel/Makefile
The Makefile will then handle pulling in the refpolicy interface
headers, applying m4, running checkmodule on the result, and running
semodule_package, leaving you with a xen.pp file that you can install.
Ok, I followed those instructions using the following .te file:
module local 1.0;
require {
class blk_file read;
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type fixed_disk_device_t;
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
type xm_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
allow xm_t fixed_disk_device_t:blk_file read;
When I tried to install the module, I got this error:
# semodule -i xen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
xm_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
What am I doing wrong?
Thanks,
R.
2:15 p.m.
On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote:
Stephen Smalley wrote:
> You need to do something different if you want to use refpolicy
> interfaces (which are presently m4 macros, but will eventually be first
> class constructs in the language that will be handled at link time);
> storage_raw_read_fixed_disk() is such an interface. The easiest thing
> to do is to use the devel Makefile. Instead of manually running
> checkmodule and semodule_package, you just do:
> mkdir xen
> cp xen.te xen/
> cd xen
> make -f /usr/share/selinux/devel/Makefile
>
> The Makefile will then handle pulling in the refpolicy interface
> headers, applying m4, running checkmodule on the result, and running
> semodule_package, leaving you with a xen.pp file that you can install.
>
Ok, I followed those instructions using the following .te file:
module local 1.0;
require {
class blk_file read;
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type fixed_disk_device_t;
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
type xm_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
allow xm_t fixed_disk_device_t:blk_file read;
When I tried to install the module, I got this error:
# semodule -i xen.pp
libsepol.check_assertion_helper: assertion on line 0 violated by allow
xm_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
What am I doing wrong?
From the above, you are still directly allowing read access to a fixed
disk device rather than using the storage_raw_read_fixed_disk()
interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file
read;' statement with:
storage_raw_read_fixed_disk(xm_t)
That was the point of switching to using the devel Makefile, so that you
could use the above interface. Which already expands to the necessary
declarations and rules to allow the access without violating the
assertion/neverallow rule.
There isn't anything magic here; it is just that
storage_raw_read_fixed_disk() as defined
in /usr/share/selinux/devel/include/kernel/storage.if already expands to
the right set of rules, and by using it, you insulate yourself from the
policy details that might change over time or between systems. Same
thing applies to all of your rules; if there is already an interface for
that purpose, you are better off using it.
--
Stephen Smalley
National Security Agency
2:31 p.m.
Stephen Smalley wrote:
On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote:
> allow xm_t fixed_disk_device_t:blk_file read;
>From the above, you are still directly allowing read access to a fixed
disk device rather than using the storage_raw_read_fixed_disk()
interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file
read;' statement with:
storage_raw_read_fixed_disk(xm_t)
Ah, right. That was what I was missing.
I removed that line and ran the make and got these errors:
]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp
xen.te:40:ERROR 'permission read is not defined for class dir' at token
';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission getattr is not defined for class dir' at
token ';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission lock is not defined for class dir' at token
';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'permission ioctl is not defined for class dir' at token
';' on line 59080:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 40
xen.te:40:ERROR 'unknown class lnk_file used in rule' at token ';' on
line 59082:
allow xm_t device_t:lnk_file { getattr read };
#line 40
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1
So, I removed all the lines I put in relating to the raw read. My xen.te
now looks like this:
module local 1.0;
require {
class chr_file { read write };
class dir { add_name create search setattr write };
class fd use;
class file { append create read write };
class unix_stream_socket { read write };
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
storage_raw_read_fixed_disk(xm_t)
Running the make produces this error:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp
xen.te:37:ERROR 'unknown type xm_t' at token ';' on line 59091:
#line 37
typeattribute xm_t fixed_disk_raw_read;
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1
I tried putting back "type xm_t" but get these errors:
# make -f /usr/share/selinux/devel/Makefile
Compiling targeted xen module
/usr/bin/checkmodule: loading policy configuration from tmp/xen.tmp
xen.te:38:ERROR 'permission read is not defined for class dir' at token
';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission getattr is not defined for class dir' at
token ';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission lock is not defined for class dir' at token
';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'permission ioctl is not defined for class dir' at token
';' on line 59078:
allow xm_t device_t:dir { read getattr lock search ioctl };
#line 38
xen.te:38:ERROR 'unknown class lnk_file used in rule' at token ';' on
line 59080:
allow xm_t device_t:lnk_file { getattr read };
#line 38
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/xen.mod] Error 1
I found I had to add all the missing classes and permissions.
This version of xen.te builds and installs cleanly:
module local 1.0;
require {
class blk_file { read getattr lock ioctl };
class chr_file { read write };
class dir { add_name create search setattr write read getattr
lock ioctl };
class fd use;
class file { append create read write };
class lnk_file { getattr read };
class unix_stream_socket { read write };
type home_root_t;
type ifconfig_t;
type local_login_t;
type netutils_t;
type proc_xen_t;
type tmp_t;
type tty_device_t;
type user_home_dir_t;
type user_home_t;
type var_log_t;
type var_run_t;
type xend_t;
type xend_var_log_t;
type xm_t;
role system_r;
};
allow ifconfig_t var_log_t:file append;
allow netutils_t proc_xen_t:file { read write };
allow netutils_t xend_t:unix_stream_socket { read write };
allow netutils_t xend_var_log_t:file { append write };
allow xend_t home_root_t:dir { search write };
allow xend_t local_login_t:fd use;
allow xend_t tmp_t:dir search;
allow xend_t tty_device_t:chr_file { read write };
allow xend_t user_home_dir_t:dir { search write };
allow xend_t user_home_t:dir { add_name search write };
allow xend_t user_home_t:file { create write };
allow xend_t var_run_t:dir { create setattr };
storage_raw_read_fixed_disk(xm_t)
That was the point of switching to using the devel Makefile, so that
you
could use the above interface. Which already expands to the necessary
declarations and rules to allow the access without violating the
assertion/neverallow rule.
There isn't anything magic here; it is just that
storage_raw_read_fixed_disk() as defined
in /usr/share/selinux/devel/include/kernel/storage.if already expands to
the right set of rules, and by using it, you insulate yourself from the
policy details that might change over time or between systems. Same
thing applies to all of your rules; if there is already an interface for
that purpose, you are better off using it.
So, how do I find out more about this? How would I know that interfaces
like storage_raw_read_fixed_disk(xm_t) exist, and what they mean?
Thanks for all your help,
R.
2:43 p.m.
On Fri, 2006-10-13 at 20:31 +0100, Robin Bowes wrote:
Stephen Smalley wrote:
> On Fri, 2006-10-13 at 19:51 +0100, Robin Bowes wrote:
>> allow xm_t fixed_disk_device_t:blk_file read;
>
>>From the above, you are still directly allowing read access to a fixed
> disk device rather than using the storage_raw_read_fixed_disk()
> interface. IOW, replace your 'allow xm_t fixed_disk_device_t:blk_file
> read;' statement with:
> storage_raw_read_fixed_disk(xm_t)
Ah, right. That was what I was missing.
I removed that line and ran the make and got these errors:
<snip>
I found I had to add all the missing classes and permissions.
Or, alternatively, replace:
module local 1.0;
with the standard module prologue:
policy_module(local, 1.0)
This brings in the class/permission requires automatically.
This version of xen.te builds and installs cleanly:
<snip>
So, how do I find out more about this? How would I know that
interfaces
like storage_raw_read_fixed_disk(xm_t) exist, and what they mean?
Interface documentation is
under /usr/share/doc/selinux-policy-x.y.z/html/index.html.
/usr/share/selinux/devel/policyhelp is a trivial one-line script to
launch a browser on it.
Also available at:
http://oss.tresys.com/docs/refpolicy/api/
An IDE is under development. Available from:
http://oss.tresys.com/projects/slide
--
Stephen Smalley
National Security Agency
3:15 p.m.
On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
> Stephen Smalley wrote:
> > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
> >> Stephen Smalley wrote:
> >>> The assertion is to prevent accidental granting of read
access to
> >>> a raw disk device. Is that truly required here?
> >> Probably - the root disk of the guest O/S instance is an lvm
> >> partition, e.g. /dev/vg01/lv_guest
> >>
> >>> To allow it, you need to use the interface for it, e.g.
> >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
> >>> kernel/storage.if. In addition to allowing the
permission, it adds
> >>> a type attribute to the type that excludes from the assertion.
It seems like you'd want to consider a specific xen label for your guest
partitions. You probably don't want to give xm_t access to all of the
disks/partitions. Generally when you violate assertions you're probably
allowing access you don't want (or should at least think hard about). Of
course that will be a little more involved and it's probably better to
get things working first with the storage_raw_read_fixed_disk()
interface.
I've had no luck with getting xen even to boot correctly (using the same
versions you listed on FC5). It always hangs when it checks the hardware
on boot and if I skip that step with an interactive boot my system gets
corrupted. I'm using a vanilla Dell hardware base (works fine with the
standard FC5 kernel install). Did you have any problems getting the
initial system set up? I have tried installing and booting in permissive
mode with the same results.
David
--
__________________________________
David Caplan
dac(a)tresys.com
Tresys Technology, LLC
4:32 p.m.
David Caplan wrote:
> On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
>> Stephen Smalley wrote:
>>> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
>>>> Stephen Smalley wrote:
>>>>> The assertion is to prevent accidental granting of read
> access to
>>>>> a raw disk device. Is that truly required here?
>>>> Probably - the root disk of the guest O/S instance is an lvm
>>>> partition, e.g. /dev/vg01/lv_guest
>>>>
>>>>> To allow it, you need to use the interface for it, e.g.
>>>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
>>>>> kernel/storage.if. In addition to allowing the
> permission, it adds
>>>>> a type attribute to the type that excludes from the assertion.
It seems like you'd want to consider a specific xen label for your guest
partitions. You probably don't want to give xm_t access to all of the
disks/partitions. Generally when you violate assertions you're probably
allowing access you don't want (or should at least think hard about). Of
course that will be a little more involved and it's probably better to
get things working first with the storage_raw_read_fixed_disk()
interface.
I have a lot to learn about SELinux. I've been managing to make things
work by creating local policies, but I've always had in my mind the
thought that there must be other/better ways to do it.
I've had no luck with getting xen even to boot correctly (using
the same
versions you listed on FC5). It always hangs when it checks the hardware
on boot and if I skip that step with an interactive boot my system gets
corrupted. I'm using a vanilla Dell hardware base (works fine with the
standard FC5 kernel install). Did you have any problems getting the
initial system set up? I have tried installing and booting in permissive
mode with the same results.
I had no problems at all apart from the SELinux stuff.
Here's what I did:
- FC5 kickstart install.
- yum update
- installed kernel-xen0 + rebooted
- created lv for guest domain
- installed guest domain using this command line:
xenguest-install.py --name=guest --file=/dev/vg01/lv_guest_vm --ram=512
--location=http://mirrors.kernel.org/fedora/core/5/i386/os/
--extra-args="ip=192.168.23.228 netmask=255.255.255.248
gateway=192.168.23.225 dns=192.168.2.203,192.168.2.204
ks=http://example.com/kickstart/ks_guest.cfg"
- copied xendomains script from Redhat somewhere (see my first post in
this thread).
R.
6405
days inactive
6405
days old
selinux@lists.fedoraproject.org
12 comments
3 participants
participants (3)
-
David Caplan -
Robin Bowes -
Stephen Smalley