• 1
Ah, I actually wanted to blog this.

Some notes: restorecon should be using -v instead of -V. I didn't know about virt_image_t type, so I learnt something new. It looks like virt-manager tries to save images to /var/lib/xen/images which will assume xen_image_t type I think. I'm guessing.


Yes restorecon -v is correct.

virt_image_t is only in rawhide. We are probably going to be introducing other types as we look into confining virt images. I would like to be able to take a virt image and confine it to only be able to listen on http ports, which would allow us to confine an Operating System running in a virtual machine without the Operating System running SELinux or even knowing about it.

Image a Windows XP Server running iss.

Images created in a directory that is labeled xen_image_t will be labeled xen_image_t, similarly images created in a directory labeled virt_image_t will be labeled virt_image_t

Thanks Dan.

But wouldn't that be confusing to have different types for different Virtualization technologies? It is clear that if one uses xen_image_t for an image, it is an image created for Xen. But it is also logical that virt_image_t be used for the same image. Sure, we can make sure that xen_image_t is a type alias of virt_image_t, but how can one ensure that the right type is used when writing policies?


It probably makes sence to alias the two types.

Especially if qemu begins to be able to manage xen images.

I will modify policy in Fedora 9 for this.

Re: It probably makes sence to alias the two types.

Thanks Dan.

  • 1

Log in