• 1
Ah, I actually wanted to blog this.

Some notes: restorecon should be using -v instead of -V. I didn't know about virt_image_t type, so I learnt something new. It looks like virt-manager tries to save images to /var/lib/xen/images which will assume xen_image_t type I think. I'm guessing.

Eugene

Yes restorecon -v is correct.

virt_image_t is only in rawhide. We are probably going to be introducing other types as we look into confining virt images. I would like to be able to take a virt image and confine it to only be able to listen on http ports, which would allow us to confine an Operating System running in a virtual machine without the Operating System running SELinux or even knowing about it.


Image a Windows XP Server running iss.

Images created in a directory that is labeled xen_image_t will be labeled xen_image_t, similarly images created in a directory labeled virt_image_t will be labeled virt_image_t



Thanks Dan.

But wouldn't that be confusing to have different types for different Virtualization technologies? It is clear that if one uses xen_image_t for an image, it is an image created for Xen. But it is also logical that virt_image_t be used for the same image. Sure, we can make sure that xen_image_t is a type alias of virt_image_t, but how can one ensure that the right type is used when writing policies?

Thanks,
Eugene

It probably makes sence to alias the two types.

Especially if qemu begins to be able to manage xen images.

I will modify policy in Fedora 9 for this.




Re: It probably makes sence to alias the two types.

Thanks Dan.

LVM, and comments on virtinst vs virt-manager

(Anonymous)
Dan,

What about SELinux and guests with LVM/partition backed storage?

I'll see about making the appropriate changes to koan also, though I think ideally we'd see these changes happen in python-virtinst, as opposed to koan + virt-manager, so any application using libvirt/python-virtinst can take advantage of this without having to do anything special.

--Michael DeHaan (mdehaan/redhat/com)

Re: LVM, and comments on virtinst vs virt-manager

You can label a partition xen_image_t or virt_image_t, using the same technique.

Thanks, Michael

(Deleted comment)

Re: images in home directories

Yes, you can do that in advanced.

Not tested:
semanage fcontext -a -t xen_image_t $XDG_DATA_HOME/Virtual\ Machines\(/.*\)?
restorecon -Rv $XDG_DATA_HOME/Virtual\ Machines/
vim /etc/selinux/restorecond.conf
# add $XDG_DATA_HOME/Virtual\ Machines/

Re: images in home directories

Yes you can do this.

If an unconfined user runs a qemu directly, it transitions to unconfined_qemu_t which is an unconfined domain, and can work with any labeling. (user_home_t).

But libvirtd will not be able to read the image.


My favourite pharma supermarket world-pharma.pillsfm.com

(Anonymous)
What about this...
WBR,
Alex
http://world-pharma.pillsfm.com
My favourite pharma supermarket

не ругайтесь за не совсем уж скромноватый вопрос

(Anonymous)
добрый день
извиняйте за не столь таки скромноватый вопросик, задумалось посмотреть фильмов для взрослых
интересует совсем бесплатный сайтик в www

My favourite pharma supermarket world-pharma.pillsfm.com

(Anonymous)
Great
WBR,
Alex
http://world-pharma.pillsfm.com
My favourite pharma supermarket

fre porn roler

(Anonymous)
Reddit

Need help

(Anonymous)
Great,
I think that my wife unfaithful to me. My e-mail is davidxleon1964@yahoo.co.uk.
I have a wonderful plan for disclosure of her deceit.
WBR,
David
http://world-viagra.com - my favourite pharma supermaket

Need help

(Anonymous)
Great,
I think that my wife unfaithful to me. My e-mail is davidxleon1964@yahoo.co.uk.
I have a wonderful plan for disclosure of her deceit.
WBR,
David
http://world-viagra.com - my favourite pharma supermaket

  • 1
?

Log in