xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* Xen, systemd, and selinux
@ 2016-06-06 16:41 George Dunlap
  2016-06-06 17:01 ` Konrad Rzeszutek Wilk
  2016-06-06 17:52 ` M A Young
  0 siblings, 2 replies; 3+ messages in thread
From: George Dunlap @ 2016-06-06 16:41 UTC (permalink / raw)
  To: M A Young; +Cc: xen-devel

Hey Michael,

Not sure if you know, I've been maintaining the Xen4CentOS packages; I
suspect given the similarities between our systems we're solving the
same issues; particularly with the systemd/selinux combination.

I've just ported my patchqueue up to 4.7-rc4, and it looks like the
SELinux rules for xenstored -- at least the ones that come with CentOS
7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
(which is deprecated), but not /dev/xen/privcmd.

Do you know where the "upstream" for these rules are, and how to get
them changed in a way that will trickle down eventually to CentOS?

As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
*if* it fails with a certain set of error codes, it tries
/proc/xen/privcmd instead.  Unfortunately, EACCES (the failure you get
from SELinux denials) is not one of those error codes.  If you just
add that error code in to the list of acceptable error codes, then
things work for me.


Xen-devel mailing list

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-06-06 17:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-06 16:41 Xen, systemd, and selinux George Dunlap
2016-06-06 17:01 ` Konrad Rzeszutek Wilk
2016-06-06 17:52 ` M A Young

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).