I discovered something new today: SELinux can and does prevent access to logical volumes. This is entirely unexpected for me, because I always thought SELinux only worked on files.
I was wondering why my test VM suddenly refused to start with the error “Disk is not accessible” after I upgraded it to F16Beta. I checked the dom0 logs, and read “couldn’t find bootloader”. At which I promptly went “Oh, crud, grub2 screwed up again!”, and promptly ignored it because it was after midnight.
Then I tried again today. The main difference being that I dropped out of X, and had the screen on when I started up the domU. So I caught these messages:
[ 946.283648] avc: denied { read } for pid=3193 comm="xend" name="dm-6"
[ 946.690625] avc: denied { open } for pid=3194 comm="pygrub" name="dm-6"
At which point I went “Oh, I see. Oops.”
Simple fix was to disable SELinux with a “setenforce 0” command. More extensive fix would be to:
- Find out why SELinux was suddenly enforced OR only just started blocking my Xen disk access
- Relabel the LVs so SELinux doesn’t throw a fit.
With regards to relabeling the LVs, the exact problem that SELinux has seems to be this:
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0
The context xend is running under is xend, while the context of the LV is that it’s a fixed disk.
Research says
semanage fcontext -a -t xen_image_t "/dev/mapper/vg_caesium_domU*"
should work, but no guarantees – just did it, and ls -lZ was unchanged. =|
(Filed a bugzilla bug on this: bugzilla.redhat.com/show_bug.cgi?id=747662)