Description of problem: "29.9. SELinux considerations" says to change the SELinux type on a block device (is this the correct terminology?). This does not change the type when the file system on that block device is mounted. I am not an SELinux guy, but it might be better to: 1. Create a logical volume. 2. Format that logical volume with a file system that supports extended attributes, such as ext3 (mkfs.ext3) 3. Explain to users to create a new directory that will be used for virtualization. My example uses "/virtualization". 4. Mount the logical volume to /virtualization/. 5. Run "/usr/sbin/semanage fcontext -a -t xen_image_t "/virtualization(/.*)?". Assuming that targeted policy is used, this commands adds the following entry to "/etc/selinux/targeted/contexts/files/file_contexts.local": /test(/.*)? system_u:object_r:xen_image_t:s0 6. Run the "/sbin/restorecon -R -v /virtualization" command to change the type of the mount point (/virtu...) and all files under it to xen_image_t (restorecon and setfiles {used when relabeling} reads the files in contexts/files/*). 7. Creating a new file (touch) on this file system results in a file labeled with the xen_image_t type. I don't know what happens if virt-manager writes a file to such a directory. Again, I am not a virtualization or SELinux person, so this might be wrong :( If users regularly change the directory used for this, maybe mount with a context option: mount /dev/VolGroup00/whatever /wherever -o context="system_u:object_r:xen_image_t" The context specified with the mount command is not written to disk. Note: this option can be added to /etc/fstab. Hope some of this helps...
Also, if you don't want that logical volume used for virtualization again, use the following command to remove the entry in file_contexts.local: /usr/sbin/semanage fcontext -d "/test(/.*)?". Apologies for any spelling mistakes. Don't copy and paste the commands ;)
sorry, any parts above that say "/test..." should be "/virtualization..."
moving to "high" as per our conversation.
Hmm, this doesn't entirely correct the original issue. There are two issue in this bug: how to set SELinux contexts for new directories and how to set SELinux contexts for entire block devices. This covers the former but not the latter. Dan, can you assist with configuring SELinux access for Xen guests accessing storage at the block device level. That is, the file system is managed by the guest not domain0.
/usr/sbin/semanage fcontext -a -t xen_image_t "/dev/sde0" Should work.
Checking: Red_Hat_Enterprise_Linux-Virtualization-5-web-en-US-5.6-04.el5 Fixed: "SELinux prevents guest images from loading if SELinux is enabled and the images are not correctly labeled. SELinux requires that image files have the virt_image_t label applied to them. The /var/lib/libvirt/images directory has this label applied to it and its contents by default. This does not mean that images must be stored in this directory; images can be stored anywhere, provided they are labeled with virt_image_t. " Query: "Set the correct SELinux type for the Xen folder." s/the/a to make it consistent with the KVM version? -------- Alignment issues: Procedure 17.1.: # lvcreate -n NewVolumeName -L 5G volumegroup # mount /dev/volumegroup/NewVolumeName /virtstorage
Verified: Red_Hat_Enterprise_Linux-Virtualization-5-web-en-US-5.6-08.el5