[libvirt] selinux

Michael Kress kress at hal.saar.de
Tue Mar 3 22:17:28 UTC 2009


Dave Allan wrote:
> Michael Kress wrote:
>> I've tried to set the type:
>> chcon -t virt_image_t a01.img
>> but all I got was:
>> chcon: failed to change context of `a01.img' to
>> `system_u:object_r:virt_image_t:s0': Invalid argument
>> The host is a debian 5.0 machine.
>
> That's the correct command to set the context for a disk image.  It
> sounds to me like that context does not exist on your system.  I'll
> let someone with more selinux knowledge than I have speak to how you
> might fix the problem.


Hi, as I'm new to debian and also to SELINUX, I was a bit lost, but
reading some manuals and howtos, I found out that virt_image_t d
obviously only exists in RH derivates. (I'm a CentOS addict, I should
know. Lack of knowledge about SELINUX is my excuse.).
So here's what I did in order to build a policy package file for kvm
(i.e. kvm.pp ) and what I'd like to share with you. If you have any
suggestions, please let me know. All this applies to debian 5.0, haven't
tried it anywhere else.

1) I put the messages I posted before in /root/delme.txt

2) Now find out the requirements for kvm, i.e. analyze the error
messages during kvm startup:
audit2allow -i /root/delme.txt
#============= initrc_t ==============
allow initrc_t self:process execmem;
#============= udev_t ==============
allow udev_t etc_t:file append;

(time to get rid of /root/delme.txt ..... rm /root/delme.txt  )
3) create file kvm.fc:
# kvm executable will have:
# label: system_u:object_r:kvm_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

/usr/bin/kvm            --      gen_context(system_u:object_r:kvm_exec_t,s0)

4) create file kvm.if:
## <summary>kvm policy</summary>
## <desc>
##      <p>
##              kvm policy for selinux
##      </p>
## </desc>
#

########################################
## <summary>
##      Execute a domain transition to run kvm.
## </summary>
## <param name="domain">
##      Domain allowed to transition.
## </param>
#
interface(`kvm_domtrans',`
        gen_require(`
                type kvm_t, kvm_exec_t;
        ')

        domain_auto_trans($1,kvm_exec_t,kvm_t)

        allow $1 kvm_t:fd use;
        allow kvm_t $1:fd use;
        allow $1 kvm_t:fifo_file rw_file_perms;
        allow $1 kvm_t:process sigchld;
')

5) create file kvm.te:
policy_module(kvm,1.0.0)

# Declarations

require {
        type initrc_t;
        class process { execmem };
        type udev_t;
        class file { append };
        type etc_t;
        class file { append };
}

type kvm_t;
type kvm_exec_t;
domain_type(kvm_t)
domain_entry_file(kvm_t, kvm_exec_t)

# kvm local policy

allow initrc_t self:process execmem;
allow udev_t etc_t:file append;

6) create file Makefile:
# installation paths

AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }'
/etc/selinux/config))

MLSENABLED := $(shell cat /selinux/mls)
ifeq ($(MLSENABLED),)
        MLSENABLED := 1
endif

ifeq ($(MLSENABLED),1)
        MCSFLAG=-mcs
endif

ifeq ($(NAME), mls)
        NAME = strict
        MCSFLAG = -mls
endif

TYPE ?= $(NAME)${MCSFLAG}

HEADERDIR := /usr/share/selinux/default/include
include $(HEADERDIR)/Makefile

7) make

8) semodule -i kvm.pp

9) semodule -l|grep kvm
kvm     1.0.0

10) virsh start myvirtualmachine


Important: All has to be in one directory. You should use one directory
per policy as the Makefile would compile all *.te files.
Hope this helps you guys playing with selinux.
Regards
Michael


-- 
Michael Kress, kress at hal.saar.de
http://www.michael-kress.de / http://kress.net
P E N G U I N S   A R E   C O O L




More information about the libvir-list mailing list