Chapter 11. SELinux and virtualization

Chapter 11. SELinux and virtualization

Virtualization with SELinux enabled

SELinux prevents Red Hat Virtualization images from loading if SELinux is enabled and the images are not in the correct directory. SELinux requires that all Red Hat Virtualization images are stored in /var/lib/xen/images.

Adding additional devices and files to the hypervisor SELinux policy

If you are using a LVM volume for your guest you will have to set the SELinux context for the underlying block device and volume group. In the example below the lvm volume is /dev/VirtGroupVol1/rhel4u4Vol01 and the underlying block device is /dev/sda3:

# semanage fcontext -a -t xen_image_t -f -b /dev/sda3
# restorecon /dev/sda3
# semanage fcontext -a -t xen_image_t -f -b /dev/VirtGroupVol01/rhel4u4Vol01
# restorecon /dev/virtGroupVol1/rhel4u4Vol01

Set the SELinux context for a block device used by a guest using the semanage and restorecon commands. In the example below the block device is /dev/sda2:

# semanage fcontext -a -t xen_image_t -f -b /dev/sda2
# restorecon /dev/sda2

The commands above can be used to add an additional directory which allows you to store guest images in a different directory than /var/lib/xen/images/. If you have a guest image outside of /var/lib/xen/images/ Xen will be unable to access the image. Confirm the problem using ls on the file and which should output a file not found error.

You can modify your SELinux policy to include other directories you may use to storage images. You will need to add it to the SELinux policy and relabel the directory you want to use for your guest images. To add another directory (in our example the directory /home/admin/xen/ will be added) to your SELinux policy use the following command:

semanage fcontext --add -t xen_image_t '/home/admin/xen(/.*)?'

The last step is to relabel the directory using the following command:

restorecon /home/admin/xen

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.