Selinux Problem

Home » CentOS-Virt » Selinux Problem
CentOS-Virt 12 Comments

Hello,

CentOS 7.(3) Xen 4.4,

Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?

Or have I to disable selinux when I install XEN.

Thank’s for a answer.

12 thoughts on - Selinux Problem

  • Sorry I’m blind, should have had more coffee.

    I would like to know what problems you’re having specifically. We aren’t on CentOS 7 yet unfortunately.

  • Any task the application required to access the permission related or hardware attraction layer will be protected my selinux. For your case since CentOS startup with Dom0 for Xen, therefore seLinux will protect the CentOS when Xen is required to access CentOS kernel and permissions.

    Xlord

    —–Original Message—

  • –VP2p6q7plQ1BN3fIrUoGifWV6qJhGtJDp Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    We have not tried to make xen work with selinux on Dom0 .. in fact our documentation:

    https://wiki.CentOS.org/Manuals/ReleaseNotes/Xen4-01

    says:

    SELinux support is disabled, and you might need to disable SELinux on the dom0 for some operations; primarily when using qemu-xen and blktap backed storage.

    ====

    I would go as far as to say turn it off for all operations currently on Dom0.

    –VP2p6q7plQ1BN3fIrUoGifWV6qJhGtJDp

  • Hello,

    Am Donnerstag, 26. Januar 2017, 10:54:20 CET schrieb Johnny Hughes:

    This is not the best Situation, but when I have no other way I have to disable selinux :-(.

  • I think that comment may be a little old. I do try to support SELinux
    — the smoke tests I use before pushing changes have it enabled by default, and they use both qemu-xen and blktap.

    But it’s difficult to help debug problems when you haven’t even said what problem(s) you’re having. :-)

    Please be sure to include the output of `dmesg`, `xl dmesg`, your xl.cfg, and /var/log/audit/audit.log.

    Thanks,
    -George

  • Selinux is way too complicated for Xen environment, there are other alternative to security your system than SeLinux.

    Xlord

    —–Original Message—–
    From: CentOS-virt [mailto:CentOS-virt-bounces@CentOS.org] I think that comment may be a little old. I do try to support SELinux
    — the smoke tests I use before pushing changes have it enabled by default, and they use both qemu-xen and blktap.

    But it’s difficult to help debug problems when you haven’t even said what problem(s) you’re having. :-)

    Please be sure to include the output of `dmesg`, `xl dmesg`, your xl.cfg, and /var/log/audit/audit.log.

    Thanks,
    -George

  • But the core repository for SELinux has rules for all the Xen functionality, which CentOS mostly inherits. This is primarily, I
    think, because Fedora has Xen packages (and also enables SELinux by default).

    -George

  • George, Selinux is a project originated from NSA and Linux adopted that in early kernel 2.4.x which is far more advance if you required very persistent object security on disk read and write. Otherwise, it is really not necessary.

    Xlord
    —–Original Message—

  • George,

    I appreciate you try to keep SELinux working and thank you. If SELinux isn’t appropriate for an environment, disabling it is easy. But if it is needed for whatever reason, adding support is hard.

    Looking through our ansible role, it turns out that for xenconsoled to be able to work with oxenstored I had to make a policy change. I hesitate to publish that policy as-is because I used audit2allow without taking enough time to tune it and the policy is probably too permissive.

    But running xenconsoled with oxenstored on CentOS 6 should allow you to duplicate. If you don’t have time to duplicate, I should be able to do that and get you the original audit.log messages.

    –Sarah