[virt-tools-list] SELinux and svirt

Daniel Berteaud daniel at firewall-services.com
Mon Apr 12 09:33:13 UTC 2010 

Le mercredi 31 mars 2010 à 16:05 -0400, Cole Robinson a écrit :
> On 03/29/2010 02:33 PM, JoHann wrote:
> > I've been scouring the web to try and find directions on how to
> > configure this on RHEL 5.4 using virt-tools, qemu and KVM.
> > 
> > Is there a how-to some where I'm missing?
> > 
> > The libvirt website describes setting up a security configuration in
> > qemu.conf, though it doesn't go into details on how to configure basic
> > vs confined.
> > 
> > I'm also not setting any settings in virt-manager on how to assign a
> > SELinux label to new VMs. My use case dictates that I can't
> > auto-assign the labels, though I'm not sure where that setting is
> > anyways.
> > 
> 
> There is no svirt in RHEL5, you would need to use newer versions of
> libvirt at the very least, but the selinux policy bits aren't there
> either. Unforunately if there are writeups already available from other
> users, you are on your own.

Hi.

I'm also running el5 as host to run KVM guests (Centos 5.4 x86_64).

I had several problems with SELinux, but didn't want to disable it.
Finally, here's what I've done to let SELinux in enforcing mode, and KVM
running:

- manually chcon every guest image like this (I only use LVM for guest
images, maybe file based are already labeled correctly)

chcon -t virt_image_t /dev/mapper/virt-myguest

- Create a custom SELinux module to allow libvirt to start and save
guest state to a file (virsh save myguest /path). The module looks like
this:


module qemucustom 1.0;

require {
        type virt_var_lib_t;
        type shell_exec_t;
        type tmp_t;
        type bin_t;
        type qemu_t;
        class lnk_file read;
        class file { ioctl execute execute_no_trans read getattr append
write};
        class dir { write add_name };
        class sock_file create;
}

#============= qemu_t ==============
allow qemu_t bin_t:lnk_file read;
allow qemu_t shell_exec_t:file { read getattr execute
execute_no_trans };
allow qemu_t virt_var_lib_t:dir { write add_name };
allow qemu_t virt_var_lib_t:file { ioctl append write };
allow qemu_t virt_var_lib_t:sock_file create;
allow qemu_t bin_t:file { read getattr execute execute_no_trans };

Just save it as qemucustom.te
You then need to compile this file:

checkmodule -M -m -o qemucustom.mod qemucustom.te
semodule_package -o qemucustom.pp -m qemucustom.mod

And load this module each time the host reboot (I load it from /etc/rc.local)

semodule -i /path/to/qemucustom.pp


I'm not a SELinux expert, I've just created this using audit2allow while
SELinux was in permissive mode. I'd really appreciate if some more
knowledgeable people could comment/enhance this (I'm afraid this module
allow more than it should, but at least, it works).


Of course, it'd be even better if libvirt could integrate a basic
SELinux driver for hosts where sVirt is not supported (which could
automatically chcon guest image, etc...).


Regards

> 
> - Cole
> 
> 
> _______________________________________________
> virt-tools-list mailing list
> virt-tools-list at redhat.com
> https://www.redhat.com/mailman/listinfo/virt-tools-list

-- 
Daniel Berteaud
FIREWALL-SERVICES SARL.
Société de Services en Logiciels Libres
Technopôle Montesquieu
33650 MARTILLAC
Tel : 05 56 64 15 32
Fax : 05 56 64 15 32
Mail: daniel at firewall-services.com
Web : http://www.firewall-services.com

More information about the virt-tools-list mailing list