[Bug 1228540] [SELinux] avc during boot for init-xenstore-d and qemu-system-i386
https://bugzilla.suse.com/show_bug.cgi?id=1228540 https://bugzilla.suse.com/show_bug.cgi?id=1228540#c14 --- Comment #14 from Johannes Segitz <jsegitz@suse.com> --- Storing different objects in /var/lib/xen is problematic from a SELinux perspective. Currently we have two rules: /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) So everything in /var/lib/xen is xend_var_lib_t apart from the images in the images subdirectory. xenstored tries to work in this directory by creating files like userdata-l.1.00000000-0000-0000-0000-000000000000.domain-userdata-lock in this directory, which fails because ATM xenstored doesn't have the necessary permissions. This seems to work for other distributions, so probably they configure xen differently. We either need to adjust our xen or adjust the SELinux policy. The latter will be quite some effort, as this requires a xen. test setup and I don't have one or know about xen. I'll be away for three weeks now. I'll hand this over to a colleague, but she's also quite busy, so this might take a while if we decide to go for the policy change -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com