Archives

Categories

Can you run SE Linux on a Xen Guest?

I was asked “Can you run SELinux on a XEN guest without any problem?“. In a generic sense the answer is of course YES, Xen allows you to run Linux kernels with all the usual range of features and SE Linux isn’t a particularly difficult feature to enable. I do most of my SE Linux development and testing on virtual machines and until recently I didn’t have any hardware suitable for running KVM, so in the last few years I’ve done more SE Linux testing on Xen than on non-virtual machines. My SE Linux Play Machine [1] (which will be online again tomorrow) is one SE Linux system running under Xen.

But the question was asked in the context of my blog post comparing the prices of virtual hosting providers [2], which changes things.

Both Linode and Slicehost (the two virtual hosting providers that my clients use) provide kernels without SE Linux support, the command “grep selinux /proc/filesystems” (which is the easiest way to test for SE Linux support) gives no output. I am not aware of any other virtual hosting company that provides SE Linux support.

If anyone knows of a virtual hosting company that runs Xen or KVM virtual machines with SE Linux support then please let me know, I’ll write a blog post comparing such companies if there are some.

For the people who work at ISPs: If your company supports SE Linux virtual machines then I would be happy to review your service, just give me a free DomU for a couple of weeks so I can test it out. If your company is considering offering such virtual machines then I would be happy to have a confidential discussion about the issues that you will face, while I am available for paid consulting work in this area I am more than happy to spend an hour or two helping a company that’s going to help support my favorite free software project without expecting to be paid. But I have to note that if a dozen hosting companies happen to want advice I won’t be able to provide two hours of free advice to each of them.

I think that there is an unsatisfied market demand for SE Linux virtual machines. I don’t expect all virtual hosting companies to support it in the near future, but this will make it more profitable for those that do. If for the sake of discussion we assume that 5% of sysadmins who are making purchasing decisions regarding virtual servers really want to have SE Linux support and if 5% of virtual hosting companies were to offer such support, then those hosting companies would almost double their market share as a result of supporting SE Linux. It’s the usual economic factors relating to small companies that profit from providing good support for the needs of a minority of customers.

11 comments to Can you run SE Linux on a Xen Guest?

  • If you’re willing to put a bit of effort in, Linode supports pv-grub, so you can boot an selinux-enabled kernel if you want to.

  • etbe

    Rob: Thanks for that suggestion, there are probably more than a few providers offering such an option. It’s still a lot harder than using a kernel that the ISP provides, and also an easy option to enable enforcing=0 (particularly as a one-off option) would be good.

  • paolo

    On my VM on Gandi:

    # grep selinux /proc/filesystems
    nodev selinuxfs

    I don’t know if it is all to say that selinux is enabled, searching for selinux on the support site doesn’t give any result.

  • etbe

    paolo: If you want to use SE Linux then you should be able to just follow your distribution’s methods for enabling it. Edit /etc/selinux/config appropriately, touch /.autorelabel and reboot if it’s already installed.

  • Using pv-grub on linode is not particularly hard. I think it took me half an hour the first time to configure it to boot a distro packaged kernel. Most of this time was spent finding the right kernel package to install for amd64 DomU (answer: linux-image-2.6-amd64)
    When compared to the many hours I spent on slicehost checking to see if they had patched the exploit of the day yet; whining to them that they needed to patch the exploit of the day, or working around the exploit of the day, the small overhead in converting to a distro managed kernel is more than justified. SE Linux or not.

  • Michael Goetze

    “If for the sake of discussion we assume that 5% of sysadmins who are making purchasing decisions regarding virtual servers really want to have SE Linux support…”

    For the sake of what sort of discussion? :-) Because as an employee of a hosting company I am sure it is much, much lower. I’ve only supported customers with at least a dedicated server, but in that time I only ever encountered SELinux once – a semiknowledgable customer had decided SELinux sounded good and turned it on, then made their system unbootable by creating a new file in /tmp and then moving it to /etc/fstab. And I’ve heard quite a few questions that our sales dept. couldn’t answer themselves and none of them involved SELinux.

    (And there is a reasonable chance that if anyone else had run into an SELinux problem they might have asked me, as I am one of only two employees who aced their RHCE. ;) )

  • Craconia

    Hey thanks for the post! I asked because my current provider uses Virtuozzo and they told me they didn’t support it so I was curious on how things were on XEN (since I have never used it).

    Regarding SELinux and support..well..many of these VPS providers, they usually have their “unmanaged plan” (their cheapeast) so I don’t see why they shouldn’t enable SELinux as in the end, if you’re on a “unmanaged plan”…you are on your own.

    Regards,
    Craconia

  • Uli

    @russel: You gotta mail from us.

  • sent to Rusty on June 28 …
    > If anyone knows of a virtual hosting company that runs Xen or KVM virtual
    > machines with SE Linux support then please let me know, I.ll write a blog
    > post comparing such companies if there are some.
    umm — I would be embarrassed to be a hosting provider which did NOT enable SElinux
    Please feel free to set up a ‘comp’ account at:
    http://www.pmman.com/signup/
    at the green arrow. Use the [please do not repeat this] ‘Offer Code’ of: …
    The initial deployment includes a SElinux relabelling phase, and one can reorder it as needed, of course. [We deliver enabled and run under SElinux when we deploy the instance; the customer can thereafter disable it, although I cannot imagine why …]
    Have fun
    — Russ herrold

  • Hi Russell,

    We’re using KVM at Tilaa, and allow you to run the kernel of your choice.
    You can give it a try for 14 days, if you’re not satisfied we’ll refund your money, no questions asked.