Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
Günther J. Niederwimmer Disable Selinux for sure!
Xlord
-----Original Message----- From: CentOS-virt [mailto:centos-virt-bounces@centos.org] On Behalf Of Günther J. Niederwimmer Sent: Friday, January 27, 2017 12:07 AM To: centos-virt@centos.org Subject: [CentOS-virt] Selinux Problem
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
On 01/26/2017 08:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
What problems and what version of CentOS?
We leave selinux enabled.
On 01/26/2017 08:45 AM, Sarah Newman wrote:
On 01/26/2017 08:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
What problems and what version of CentOS?
We leave selinux enabled.
Sorry I'm blind, should have had more coffee.
I would like to know what problems you're having specifically. We aren't on CentOS 7 yet unfortunately.
Günther J. Niederwimmer SeLinux was introduced to CentOS since Linux kernel 2.6.x which was long ago in centos 4.x or maybe early. URL 1--> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/rhlcommon-appendix -0005.html URL 2--> https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-selinux.html
-----Original Message----- From: CentOS-virt [mailto:centos-virt-bounces@centos.org] On Behalf Of Sarah Newman Sent: Friday, January 27, 2017 12:47 AM To: Discussion about the virtualization on CentOS centos-virt@centos.org Subject: Re: [CentOS-virt] Selinux Problem
On 01/26/2017 08:45 AM, Sarah Newman wrote:
On 01/26/2017 08:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with
selinux on
Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
What problems and what version of CentOS?
We leave selinux enabled.
Sorry I'm blind, should have had more coffee.
I would like to know what problems you're having specifically. We aren't on CentOS 7 yet unfortunately.
_______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Any task the application required to access the permission related or hardware attraction layer will be protected my selinux. For your case since CentOS startup with Dom0 for Xen, therefore seLinux will protect the CentOS when Xen is required to access CentOS kernel and permissions.
Xlord
-----Original Message----- From: CentOS-virt [mailto:centos-virt-bounces@centos.org] On Behalf Of Sarah Newman Sent: Friday, January 27, 2017 12:45 AM To: Discussion about the virtualization on CentOS centos-virt@centos.org Subject: Re: [CentOS-virt] Selinux Problem
On 01/26/2017 08:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with
selinux on
Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
What problems and what version of CentOS?
We leave selinux enabled.
_______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
We have not tried to make xen work with selinux on Dom0 .. in fact our documentation:
https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01
says:
SELinux support is disabled, and you might need to disable SELinux on the dom0 for some operations; primarily when using qemu-xen and blktap backed storage.
====
I would go as far as to say turn it off for all operations currently on Dom0.
Hello,
Am Donnerstag, 26. Januar 2017, 10:54:20 CET schrieb Johnny Hughes:
On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
We have not tried to make xen work with selinux on Dom0 .. in fact our documentation:
https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01
says:
SELinux support is disabled, and you might need to disable SELinux on the dom0 for some operations; primarily when using qemu-xen and blktap backed storage.
This is not the best Situation, but when I have no other way I have to disable selinux :-(.
====
I would go as far as to say turn it off for all operations currently on Dom0.
On Thu, Jan 26, 2017 at 8:08 PM, Günther J. Niederwimmer gjn@gjn.priv.at wrote:
Hello,
Am Donnerstag, 26. Januar 2017, 10:54:20 CET schrieb Johnny Hughes:
On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
We have not tried to make xen work with selinux on Dom0 .. in fact our documentation:
https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01
says:
SELinux support is disabled, and you might need to disable SELinux on the dom0 for some operations; primarily when using qemu-xen and blktap backed storage.
This is not the best Situation, but when I have no other way I have to disable selinux :-(.
I think that comment may be a little old. I do try to support SELinux -- the smoke tests I use before pushing changes have it enabled by default, and they use both qemu-xen and blktap.
But it's difficult to help debug problems when you haven't even said what problem(s) you're having. :-)
Please be sure to include the output of `dmesg`, `xl dmesg`, your xl.cfg, and /var/log/audit/audit.log.
Thanks, -George
Selinux is way too complicated for Xen environment, there are other alternative to security your system than SeLinux.
Xlord
-----Original Message----- From: CentOS-virt [mailto:centos-virt-bounces@centos.org] On Behalf Of George Dunlap Sent: Monday, January 30, 2017 7:23 PM To: Discussion about the virtualization on CentOS centos-virt@centos.org Subject: Re: [CentOS-virt] Selinux Problem
On Thu, Jan 26, 2017 at 8:08 PM, Günther J. Niederwimmer gjn@gjn.priv.at wrote:
Hello,
Am Donnerstag, 26. Januar 2017, 10:54:20 CET schrieb Johnny Hughes:
On 01/26/2017 10:06 AM, Günther J. Niederwimmer wrote:
Hello,
CentOS 7.(3) Xen 4.4,
Can I find any Doc for selinux with XEN, I found many Problems with selinux on Dom0 ?
Or have I to disable selinux when I install XEN.
Thank's for a answer.
We have not tried to make xen work with selinux on Dom0 .. in fact our documentation:
https://wiki.centos.org/Manuals/ReleaseNotes/Xen4-01
says:
SELinux support is disabled, and you might need to disable SELinux on the dom0 for some operations; primarily when using qemu-xen and blktap backed storage.
This is not the best Situation, but when I have no other way I have to disable selinux :-(.
I think that comment may be a little old. I do try to support SELinux -- the smoke tests I use before pushing changes have it enabled by default, and they use both qemu-xen and blktap.
But it's difficult to help debug problems when you haven't even said what problem(s) you're having. :-)
Please be sure to include the output of `dmesg`, `xl dmesg`, your xl.cfg, and /var/log/audit/audit.log.
Thanks, -George _______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
On Thu, Feb 2, 2017 at 4:46 PM, -=X.L.O.R.D=- xlord.sl@gmail.com wrote:
Selinux is way too complicated for Xen environment, there are other alternative to security your system than SeLinux.
But the core repository for SELinux has rules for all the Xen functionality, which CentOS mostly inherits. This is primarily, I think, because Fedora has Xen packages (and also enables SELinux by default).
-George
George, Selinux is a project originated from NSA and Linux adopted that in early kernel 2.4.x which is far more advance if you required very persistent object security on disk read and write. Otherwise, it is really not necessary.
Xlord -----Original Message----- From: CentOS-virt [mailto:centos-virt-bounces@centos.org] On Behalf Of George Dunlap Sent: Friday, February 3, 2017 1:19 AM To: Discussion about the virtualization on CentOS centos-virt@centos.org Subject: Re: [CentOS-virt] Selinux Problem
On Thu, Feb 2, 2017 at 4:46 PM, -=X.L.O.R.D=- xlord.sl@gmail.com wrote:
Selinux is way too complicated for Xen environment, there are other
alternative to security your system than SeLinux.
But the core repository for SELinux has rules for all the Xen functionality, which CentOS mostly inherits. This is primarily, I think, because Fedora has Xen packages (and also enables SELinux by default).
-George _______________________________________________ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
On 01/30/2017 03:22 AM, George Dunlap wrote:
I think that comment may be a little old. I do try to support SELinux -- the smoke tests I use before pushing changes have it enabled by default, and they use both qemu-xen and blktap.
But it's difficult to help debug problems when you haven't even said what problem(s) you're having. :-)
Please be sure to include the output of `dmesg`, `xl dmesg`, your xl.cfg, and /var/log/audit/audit.log.
Thanks, -George
George,
I appreciate you try to keep SELinux working and thank you. If SELinux isn't appropriate for an environment, disabling it is easy. But if it is needed for whatever reason, adding support is hard.
Looking through our ansible role, it turns out that for xenconsoled to be able to work with oxenstored I had to make a policy change. I hesitate to publish that policy as-is because I used audit2allow without taking enough time to tune it and the policy is probably too permissive.
But running xenconsoled with oxenstored on CentOS 6 should allow you to duplicate. If you don't have time to duplicate, I should be able to do that and get you the original audit.log messages.
--Sarah
-
-=X.L.O.R.D=- -
George Dunlap -
Günther J. Niederwimmer -
Johnny Hughes -
Sarah Newman