Xen users - Dec 2006 - Xen and SELinux

I just wondered, all Howto''s for Fedora, and a lot of other places say
the user needs to disable SELinux when runinng Xen, at least in dom0.

And I didn''t see any explanation why or on how to make xen work with
selinux enabled.
Does it mean it isn''t working, is it so simple that there''s no
need to
document it, or theorethically possible but too hard to get it
working?

Henning

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Dec 11, 2006 at 06:40:06PM +0100, Henning Sprang
wrote:
> I just wondered, all Howto''s for Fedora, and a lot of other places
say
> the user needs to disable SELinux when runinng Xen, at least in dom0.
That is incorrect. With Fedora Core 6 the recommendation is definitely
to have  SELinux enabled when running Xen. The main thing you have to
be careful of is where you keep your filesystem images. The SELinux
policy expects them in /var/lib/xen/images.  Same is true of ISO images
if you''re using them to install fully virt guests. 
> And I didn''t see any explanation why or on how to make xen work
with
> selinux enabled.
If you have disk images in the expected location, then Xen should ''just
work''
with SELinux enabled.
> Does it mean it isn''t working, is it so simple that
there''s no need to
> document it, or theorethically possible but too hard to get it
> working?
The howto you found is wrong :-(  

I''ve added a note about neccessary SELinux disk image directory to the
official Fedora Xen guide.

http://fedoraproject.org/wiki/FedoraXenQuickstartFC6

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

What about use of disk partitions mapped to virtual devices?

On 12/12/06, Daniel P. Berrange <berrange@redhat.com>
wrote:
> On Mon, Dec 11, 2006 at 06:40:06PM +0100, Henning Sprang wrote:
> > I just wondered, all Howto''s for Fedora, and a lot of other
places say
> > the user needs to disable SELinux when runinng Xen, at least in dom0.
>
> That is incorrect. With Fedora Core 6 the recommendation is definitely
> to have  SELinux enabled when running Xen. The main thing you have to
> be careful of is where you keep your filesystem images. The SELinux
> policy expects them in /var/lib/xen/images.  Same is true of ISO images
> if you''re using them to install fully virt guests.
>
> > And I didn''t see any explanation why or on how to make xen
work with
> > selinux enabled.
>
> If you have disk images in the expected location, then Xen should
''just work''
> with SELinux enabled.
>
> > Does it mean it isn''t working, is it so simple that
there''s no need to
> > document it, or theorethically possible but too hard to get it
> > working?
>
> The howto you found is wrong :-(
>
> I''ve added a note about neccessary SELinux disk image directory to
the
> official Fedora Xen guide.
>
> http://fedoraproject.org/wiki/FedoraXenQuickstartFC6
>
> Regards,
> Dan.
> --
> |=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496
-=|
> |=-           Perl modules: http://search.cpan.org/~danberr/             
-=|
> |=-               Projects: http://freshmeat.net/~danielpb/              
-=|
> |=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 
-=|
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

-- 
GPG key fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD 41C4 C2F0
GPG public key availabe on pgp.mit .edu keyserver

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Dec 12, 2006 at 08:36:37AM +1100, TMC wrote:
> What about use of disk partitions mapped to virtual devices?
That should work already.  XenD is given access to devices labelled as
fixed_disk_device_t / removable_disk_device_t 
> On 12/12/06, Daniel P. Berrange <berrange@redhat.com> wrote:
> >On Mon, Dec 11, 2006 at 06:40:06PM +0100, Henning Sprang wrote:
> >> I just wondered, all Howto''s for Fedora, and a lot of
other places say
> >> the user needs to disable SELinux when runinng Xen, at least in
dom0.
> >
> >That is incorrect. With Fedora Core 6 the recommendation is definitely
> >to have  SELinux enabled when running Xen. The main thing you have to
> >be careful of is where you keep your filesystem images. The SELinux
> >policy expects them in /var/lib/xen/images.  Same is true of ISO images
> >if you''re using them to install fully virt guests.
> >
> >> And I didn''t see any explanation why or on how to make
xen work with
> >> selinux enabled.
> >
> >If you have disk images in the expected location, then Xen should
''just
> >work''
> >with SELinux enabled.
> >
> >> Does it mean it isn''t working, is it so simple that
there''s no need to
> >> document it, or theorethically possible but too hard to get it
> >> working?
> >
> >The howto you found is wrong :-(
> >
> >I''ve added a note about neccessary SELinux disk image
directory to the
> >official Fedora Xen guide.
> >
> >http://fedoraproject.org/wiki/FedoraXenQuickstartFC6

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 12/11/06, Daniel P. Berrange <berrange@redhat.com>
wrote:
> That is incorrect. With Fedora Core 6 the recommendation is definitely
> to have  SELinux enabled when running Xen. The main thing you have to
> be careful of is where you keep your filesystem images. The SELinux
> policy expects them in /var/lib/xen/images.  Same is true of ISO images
> if you''re using them to install fully virt guests.
O.K.  Thanks a lot for all the information!

And do you think this applies also to other distributions, say,
somebody wants to run Xen on Debian with selinux? Is it correct to
assume that he has to do some things which the fedora people already
did (and which probably required some research)?

Henning

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Dec 11, 2006 at 11:07:09PM +0100, Henning Sprang
wrote:
> On 12/11/06, Daniel P. Berrange <berrange@redhat.com> wrote:
> >That is incorrect. With Fedora Core 6 the recommendation is definitely
> >to have  SELinux enabled when running Xen. The main thing you have to
> >be careful of is where you keep your filesystem images. The SELinux
> >policy expects them in /var/lib/xen/images.  Same is true of ISO images
> >if you''re using them to install fully virt guests.
> 
> O.K.  Thanks a lot for all the information!
> 
> And do you think this applies also to other distributions, say,
> somebody wants to run Xen on Debian with selinux? Is it correct to
> assume that he has to do some things which the fedora people already
> did (and which probably required some research)?
I''m not too familiar with state of Xen / SELinux in Debian. All the
stuff
we fix in Fedora/RHEL always goes back to upstream sources, so if Debian
folks are periodically refreshing SELinux policy from upstream they ought
to pick up the fixes eventually. 

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 11 Dec 2006 at 18:40, Henning Sprang wrote:
> I just wondered, all Howto''s for Fedora, and a lot of other places
say
> the user needs to disable SELinux when runinng Xen, at least in dom0.
Hi!

Not actually knowing SELinux, I guess that it has to be adjusted for XEN, just 
like a firewall has to. As nobody (just like for the firewall) seems to know
what
exactly has to be done (wouldn''t it be documenbted otherwise?), the
recommendation
is to disable it. ;-)

Ulrich
> 
> And I didn''t see any explanation why or on how to make xen work
with
> selinux enabled.
> Does it mean it isn''t working, is it so simple that
there''s no need to
> document it, or theorethically possible but too hard to get it
> working?
> 
> Henning

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Daniel P. Berrange wrote:
> On Mon, Dec 11, 2006 at 06:40:06PM +0100, Henning Sprang wrote:
>> I just wondered, all Howto''s for Fedora, and a lot of other
places say
>> the user needs to disable SELinux when runinng Xen, at least in dom0.
> 
> That is incorrect. With Fedora Core 6 the recommendation is definitely
> to have  SELinux enabled when running Xen. The main thing you have to
> be careful of is where you keep your filesystem images. The SELinux
> policy expects them in /var/lib/xen/images.  Same is true of ISO images
> if you''re using them to install fully virt guests. 
> 
>> And I didn''t see any explanation why or on how to make xen
work with
>> selinux enabled.
> 
> If you have disk images in the expected location, then Xen should
''just work''
> with SELinux enabled.
That would be wonderful, but I believe that the directory 
/var/lib/xen/images needs to be created with some selinux attributes, 
which are not obvious to me. I can probably dig a list of non-working 
ones from my notes, though.
> 
>> Does it mean it isn''t working, is it so simple that
there''s no need to
>> document it, or theorethically possible but too hard to get it
>> working?
> 
> The howto you found is wrong :-(  
> 
> I''ve added a note about neccessary SELinux disk image directory to
the
> official Fedora Xen guide.
> 
> http://fedoraproject.org/wiki/FedoraXenQuickstartFC6
I just looked at it, it doesn''t seem to have the magic mkdir 
incantation, and on my installs, one of which I just redid yesterday, 
whatever tooth fairy is supposed to create the directory
didn''t.
> 
> Regards,
> Dan.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users