SELinux, Xen & LVMs


I discovered something new today: SELinux can and does prevent access to logical volumes. This is entirely unexpected for me, because I always thought SELinux only worked on files.

I was wondering why my test VM suddenly refused to start with the error “Disk is not accessible” after I upgraded it to F16Beta. I checked the dom0 logs, and read “couldn’t find bootloader”. At which I promptly went “Oh, crud, grub2 screwed up again!”, and promptly ignored it because it was after midnight.
Then I tried again today. The main difference being that I dropped out of X, and had the screen on when I started up the domU. So I caught these messages:

[  946.283648] avc:  denied  { read } for  pid=3193 comm="xend" name="dm-6"
[  946.690625] avc:  denied  { open } for  pid=3194 comm="pygrub" name="dm-6"

At which point I went “Oh, I see. Oops.”

Simple fix was to disable SELinux with a “setenforce 0” command. More extensive fix would be to:

  1. Find out why SELinux was suddenly enforced OR only just started blocking my Xen disk access
  2. Relabel the LVs so SELinux doesn’t throw a fit.

With regards to relabeling the LVs, the exact problem that SELinux has seems to be this:

scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0

The context xend is running under is xend, while the context of the LV is that it’s a fixed disk.

Research says

semanage fcontext -a -t xen_image_t "/dev/mapper/vg_caesium_domU*"

should work, but no guarantees – just did it, and ls -lZ was unchanged. =|

(Filed a bugzilla bug on this: bugzilla.redhat.com/show_bug.cgi?id=747662)

,

  1. No comments yet.
(will not be published)