Adding additional devices and files to the hypervisor SELinux policy

If you are using a LVM volume for your guest you will have to set the SELinux context for the underlying block device and volume group. In the example below the lvm volume is /dev/VirtGroupVol1/rhel4u4Vol01 and the underlying block device is /dev/sda3:

# semanage fcontext -a -t xen_image_t -f -b /dev/sda3
# restorecon /dev/sda3
# semanage fcontext -a -t xen_image_t -f -b /dev/VirtGroupVol01/rhel4u4Vol01
# restorecon /dev/virtGroupVol1/rhel4u4Vol01

Set the SELinux context for a block device used by a guest using the semanage and restorecon commands. In the example below the block device is /dev/sda2:

# semanage fcontext -a -t xen_image_t -f -b /dev/sda2
# restorecon /dev/sda2

The commands above can be used to add an additional directory which allows you to store guest images in a different directory than /var/lib/xen/images/. If you have a guest image outside of /var/lib/xen/images/ Xen will be unable to access the image. Confirm the problem using ls on the file and which should output a file not found error.

You can modify your SELinux policy to include other directories you may use to storage images. You will need to add it to the SELinux policy and relabel the directory you want to use for your guest images. To add another directory (in our example the directory /home/admin/xen/ will be added) to your SELinux policy use the following command:

semanage fcontext --add -t xen_image_t '/home/admin/xen(/.*)?'

The last step is to relabel the directory using the following command:

restorecon /home/admin/xen