[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] SELinux and svirt

Le mercredi 31 mars 2010 à 16:05 -0400, Cole Robinson a écrit :
> On 03/29/2010 02:33 PM, JoHann wrote:
> > I've been scouring the web to try and find directions on how to
> > configure this on RHEL 5.4 using virt-tools, qemu and KVM.
> > 
> > Is there a how-to some where I'm missing?
> > 
> > The libvirt website describes setting up a security configuration in
> > qemu.conf, though it doesn't go into details on how to configure basic
> > vs confined.
> > 
> > I'm also not setting any settings in virt-manager on how to assign a
> > SELinux label to new VMs. My use case dictates that I can't
> > auto-assign the labels, though I'm not sure where that setting is
> > anyways.
> > 
> There is no svirt in RHEL5, you would need to use newer versions of
> libvirt at the very least, but the selinux policy bits aren't there
> either. Unforunately if there are writeups already available from other
> users, you are on your own.


I'm also running el5 as host to run KVM guests (Centos 5.4 x86_64).

I had several problems with SELinux, but didn't want to disable it.
Finally, here's what I've done to let SELinux in enforcing mode, and KVM

- manually chcon every guest image like this (I only use LVM for guest
images, maybe file based are already labeled correctly)

chcon -t virt_image_t /dev/mapper/virt-myguest

- Create a custom SELinux module to allow libvirt to start and save
guest state to a file (virsh save myguest /path). The module looks like

module qemucustom 1.0;

require {
        type virt_var_lib_t;
        type shell_exec_t;
        type tmp_t;
        type bin_t;
        type qemu_t;
        class lnk_file read;
        class file { ioctl execute execute_no_trans read getattr append
        class dir { write add_name };
        class sock_file create;

#============= qemu_t ==============
allow qemu_t bin_t:lnk_file read;
allow qemu_t shell_exec_t:file { read getattr execute
execute_no_trans };
allow qemu_t virt_var_lib_t:dir { write add_name };
allow qemu_t virt_var_lib_t:file { ioctl append write };
allow qemu_t virt_var_lib_t:sock_file create;
allow qemu_t bin_t:file { read getattr execute execute_no_trans };

Just save it as qemucustom.te
You then need to compile this file:

checkmodule -M -m -o qemucustom.mod qemucustom.te
semodule_package -o qemucustom.pp -m qemucustom.mod

And load this module each time the host reboot (I load it from /etc/rc.local)

semodule -i /path/to/qemucustom.pp

I'm not a SELinux expert, I've just created this using audit2allow while
SELinux was in permissive mode. I'd really appreciate if some more
knowledgeable people could comment/enhance this (I'm afraid this module
allow more than it should, but at least, it works).

Of course, it'd be even better if libvirt could integrate a basic
SELinux driver for hosts where sVirt is not supported (which could
automatically chcon guest image, etc...).


> - Cole
> _______________________________________________
> virt-tools-list mailing list
> virt-tools-list redhat com
> https://www.redhat.com/mailman/listinfo/virt-tools-list

Daniel Berteaud
Société de Services en Logiciels Libres
Technopôle Montesquieu
Tel : 05 56 64 15 32
Fax : 05 56 64 15 32
Mail: daniel firewall-services com
Web : http://www.firewall-services.com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]