Re: [CentOS-virt] Selinux Problem
On 01/30/2017 03:22 AM, George Dunlap wrote: > > I think that comment may be a little old. I do try to support SELinux > -- the smoke tests I use before pushing changes have it enabled by > default, and they use both qemu-xen and blktap. > > But it's difficult to help debug problems when you haven't even said > what problem(s) you're having. :-) > > Please be sure to include the output of `dmesg`, `xl dmesg`, your > xl.cfg, and /var/log/audit/audit.log. > > Thanks, > -George George, I appreciate you try to keep SELinux working and thank you. If SELinux isn't appropriate for an environment, disabling it is easy. But if it is needed for whatever reason, adding support is hard. Looking through our ansible role, it turns out that for xenconsoled to be able to work with oxenstored I had to make a policy change. I hesitate to publish that policy as-is because I used audit2allow without taking enough time to tune it and the policy is probably too permissive. But running xenconsoled with oxenstored on CentOS 6 should allow you to duplicate. If you don't have time to duplicate, I should be able to do that and get you the original audit.log messages. --Sarah ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Selinux Problem
On Thu, Feb 2, 2017 at 4:46 PM, -=X.L.O.R.D=- wrote: > Selinux is way too complicated for Xen environment, there are other > alternative to security your system than SeLinux. But the core repository for SELinux has rules for all the Xen functionality, which CentOS mostly inherits. This is primarily, I think, because Fedora has Xen packages (and also enables SELinux by default). -George ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Selinux Problem
On Thu, Jan 26, 2017 at 8:08 PM, Günther J. Niederwimmer wrote: > Hello, > > Am Donnerstag, 26. Januar 2017, 10:54:20 CET schrieb Johnny Hughes: >> On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote: >> > Hello, >> > >> > CentOS 7.(3) Xen 4.4, >> > >> > Can I find any Doc for selinux with XEN, I found many Problems with >> > selinux on Dom0 ? >> > >> > Or have I to disable selinux when I install XEN. >> > >> > Thank's for a answer. >> >> We have not tried to make xen work with selinux on Dom0 .. in fact our >> documentation: >> >> https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01 >> >> says: >> >> SELinux support is disabled, and you might need to disable SELinux on >> the dom0 for some operations; primarily when using qemu-xen and blktap >> backed storage. > > This is not the best Situation, but when I have no other way I have to disable > selinux :-(. I think that comment may be a little old. I do try to support SELinux -- the smoke tests I use before pushing changes have it enabled by default, and they use both qemu-xen and blktap. But it's difficult to help debug problems when you haven't even said what problem(s) you're having. :-) Please be sure to include the output of `dmesg`, `xl dmesg`, your xl.cfg, and /var/log/audit/audit.log. Thanks, -George ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Selinux Problem
Hello, Am Donnerstag, 26. Januar 2017, 10:54:20 CET schrieb Johnny Hughes: > On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote: > > Hello, > > > > CentOS 7.(3) Xen 4.4, > > > > Can I find any Doc for selinux with XEN, I found many Problems with > > selinux on Dom0 ? > > > > Or have I to disable selinux when I install XEN. > > > > Thank's for a answer. > > We have not tried to make xen work with selinux on Dom0 .. in fact our > documentation: > > https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01 > > says: > > SELinux support is disabled, and you might need to disable SELinux on > the dom0 for some operations; primarily when using qemu-xen and blktap > backed storage. This is not the best Situation, but when I have no other way I have to disable selinux :-(. > > > I would go as far as to say turn it off for all operations currently on > Dom0. -- mit freundlichen Grüssen / best regards Günther J. Niederwimmer ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Selinux Problem
On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote: > Hello, > > CentOS 7.(3) Xen 4.4, > > Can I find any Doc for selinux with XEN, I found many Problems with selinux > on > Dom0 ? > > Or have I to disable selinux when I install XEN. > > Thank's for a answer. > We have not tried to make xen work with selinux on Dom0 .. in fact our documentation: https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01 says: SELinux support is disabled, and you might need to disable SELinux on the dom0 for some operations; primarily when using qemu-xen and blktap backed storage. I would go as far as to say turn it off for all operations currently on Dom0. signature.asc Description: OpenPGP digital signature ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Selinux Problem
On 01/26/2017 08:45 AM, Sarah Newman wrote: > On 01/26/2017 08:06 AM, Günther J. Niederwimmer wrote: >> Hello, >> >> CentOS 7.(3) Xen 4.4, >> >> Can I find any Doc for selinux with XEN, I found many Problems with selinux >> on >> Dom0 ? >> >> Or have I to disable selinux when I install XEN. >> >> Thank's for a answer. >> > > What problems and what version of CentOS? > > We leave selinux enabled. Sorry I'm blind, should have had more coffee. I would like to know what problems you're having specifically. We aren't on CentOS 7 yet unfortunately. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Selinux Problem
On 01/26/2017 08:06 AM, Günther J. Niederwimmer wrote: > Hello, > > CentOS 7.(3) Xen 4.4, > > Can I find any Doc for selinux with XEN, I found many Problems with selinux > on > Dom0 ? > > Or have I to disable selinux when I install XEN. > > Thank's for a answer. > What problems and what version of CentOS? We leave selinux enabled. ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
[CentOS-virt] Selinux Problem
Hello, CentOS 7.(3) Xen 4.4, Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ? Or have I to disable selinux when I install XEN. Thank's for a answer. -- mit freundlichen Grüssen / best regards Günther J. Niederwimmer ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
