xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
From: George Dunlap <dunlapg@umich.edu>
To: M A Young <m.a.young@durham.ac.uk>
Cc: xen-devel <xen-devel@lists.xenproject.org>
Subject: Xen, systemd, and selinux
Date: Mon, 6 Jun 2016 17:41:35 +0100	[thread overview]
Message-ID: <CAFLBxZb-o-LyTZKmgMQ9MyQOHgV-T9-0-Lb6_Vq38=7Syu8OPw@mail.gmail.com> (raw)

Hey Michael,

Not sure if you know, I've been maintaining the Xen4CentOS packages; I
suspect given the similarities between our systems we're solving the
same issues; particularly with the systemd/selinux combination.

I've just ported my patchqueue up to 4.7-rc4, and it looks like the
SELinux rules for xenstored -- at least the ones that come with CentOS
7 -- are outdated; they allow xenstored to open /proc/xen/privcmd
(which is deprecated), but not /dev/xen/privcmd.

Do you know where the "upstream" for these rules are, and how to get
them changed in a way that will trickle down eventually to CentOS?

As of 4.7-rc4, libxc will first try to open /dev/xen/privcmd, then
*if* it fails with a certain set of error codes, it tries
/proc/xen/privcmd instead.  Unfortunately, EACCES (the failure you get
from SELinux denials) is not one of those error codes.  If you just
add that error code in to the list of acceptable error codes, then
things work for me.


Xen-devel mailing list

             reply	other threads:[~2016-06-06 16:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-06-06 16:41 George Dunlap [this message]
2016-06-06 17:01 ` Xen, systemd, and selinux Konrad Rzeszutek Wilk
2016-06-06 17:52 ` M A Young

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAFLBxZb-o-LyTZKmgMQ9MyQOHgV-T9-0-Lb6_Vq38=7Syu8OPw@mail.gmail.com' \
    --to=dunlapg@umich.edu \
    --cc=m.a.young@durham.ac.uk \
    --cc=xen-devel@lists.xenproject.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).