On Wed, Jan 31, 2007 at 03:39:08PM -0500, Bill Davidsen wrote:
K T Ligesh wrote:
>On Wed, Jan 31, 2007 at 01:40:58PM -0500, Bill Davidsen wrote:
>
>>And at some point will xen and selinux be compatible? I have everything
>>in the "right" place, but it still doesn't work.
>>
>>
>
> Forget selinux. Just disable it. I mean, you think of security only after
> the bleeding stops, your wounds have healed. (The bleeding that comes
> from banging your head on the keyboard in frustration). Since this is xen
> only mailinglist, I think we can talk about the situation with selinux
> disabled.
I bet you have the same eye-level bloody dent in your wall that I do ;-)
> Anyway, won't a setenforce 0, completely disable the damn thing? At least
> it says so as the output of the command.
That's true, but I regard "turn off security" in the same light as
"run
setuid root so you bypass all that permissions stuff." And at least some
of the places I could use this require selinux. setenforce doesn't
disable it, just sets it advisory, which means it still fails and tells
you there's no such file as <whatever> when there is, just where it
should be. Daniel keeps telling me it works for him, so it's some
failure of understanding.
If you see 'AVC' denial messages in /var/log/messages or /var/log/audit/audit.log
when creating your Xen guest, do file them in BugZilla against Xen. If it
does turn out to be a SELinux policy problem, we can usually get very fast
turn around on policy updates, because as you say - being able to run with
SELinux enabled is a very valuable security measure.
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules:
http://search.cpan.org/~danberr/ -=|
|=- Projects:
http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|