Bug 467656 - possibly incorrect information in "29.9. SELinux considerations"
possibly incorrect information in "29.9. SELinux considerations"
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: Virtualization_Guide (Show other bugs)
5.7
All Linux
urgent Severity high
: rc
: ---
Assigned To: Scott Radvan
ecs-bugs
http://www.redhat.com/docs/en-US/Red_...
: Documentation
Depends On: 514159
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-19 22:24 EDT by Murray McAllister
Modified: 2015-04-06 23:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-08 15:44:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2008-10-19 22:24:57 EDT
Description of problem:
"29.9. SELinux considerations" says to change the SELinux type on a block device (is this the correct terminology?). This does not change the type when the file system on that block device is mounted.

I am not an SELinux guy, but it might be better to:

1. Create a logical volume.

2. Format that logical volume with a file system that supports extended attributes, such as ext3 (mkfs.ext3)

3. Explain to users to create a new directory that will be used for virtualization. My example uses "/virtualization".

4. Mount the logical volume to /virtualization/.

5. Run "/usr/sbin/semanage fcontext -a -t xen_image_t "/virtualization(/.*)?". Assuming that targeted policy is used, this commands adds the following entry to "/etc/selinux/targeted/contexts/files/file_contexts.local":

/test(/.*)?    system_u:object_r:xen_image_t:s0

6. Run the "/sbin/restorecon -R -v /virtualization" command to change the type of the mount point (/virtu...) and all files under it to xen_image_t (restorecon and setfiles {used when relabeling} reads the files in contexts/files/*).

7. Creating a new file (touch) on this file system results in a file labeled with the xen_image_t type. I don't know what happens if virt-manager writes a file to such a directory.

Again, I am not a virtualization or SELinux person, so this might be wrong :(

If users regularly change the directory used for this, maybe mount with a context option:

mount /dev/VolGroup00/whatever /wherever -o context="system_u:object_r:xen_image_t"

The context specified with the mount command is not written to disk. Note: this option can be added to /etc/fstab.

Hope some of this helps...
Comment 1 Murray McAllister 2008-10-19 22:29:08 EDT
Also, if you don't want that logical volume used for virtualization again, use the following command to remove the entry in file_contexts.local:

/usr/sbin/semanage fcontext -d "/test(/.*)?".

Apologies for any spelling mistakes. Don't copy and paste the commands ;)
Comment 2 Murray McAllister 2008-10-20 19:29:50 EDT
sorry, any parts above that say "/test..." should be "/virtualization..."
Comment 3 Murray McAllister 2008-10-20 19:49:15 EDT
moving to "high" as per our conversation.
Comment 4 Christopher Curran 2008-11-11 21:55:54 EST
Hmm, this doesn't entirely correct the original issue. There are two issue in this bug: how to set SELinux contexts for new directories and how to set SELinux contexts for entire block devices. This covers the former but not the latter.

Dan, can you assist with configuring SELinux access for Xen guests accessing storage at the block device level. That is, the file system is managed by the guest not domain0.
Comment 5 Daniel Walsh 2008-11-14 15:42:45 EST
/usr/sbin/semanage fcontext -a -t xen_image_t "/dev/sde0"

Should work.
Comment 16 Andrew Ross 2010-12-06 22:32:43 EST
Checking: Red_Hat_Enterprise_Linux-Virtualization-5-web-en-US-5.6-04.el5

Fixed:
"SELinux prevents guest images from loading if SELinux is enabled and the images are not correctly labeled. SELinux requires that image files have the virt_image_t label applied to them. The /var/lib/libvirt/images directory has this label applied to it and its contents by default. This does not mean that images must be stored in this directory; images can be stored anywhere, provided they are labeled with virt_image_t. "

Query:
"Set the correct SELinux type for the Xen folder."
s/the/a to make it consistent with the KVM version? 


--------
Alignment issues: 

Procedure 17.1.:
# lvcreate -n NewVolumeName -L 5G
					volumegroup

# mount /dev/volumegroup/NewVolumeName
					/virtstorage
Comment 18 Andrew Ross 2010-12-07 21:54:30 EST
Verified: Red_Hat_Enterprise_Linux-Virtualization-5-web-en-US-5.6-08.el5

Note You need to log in before you can comment on or make changes to this bug.