[virt-tools-list] SELinux and svirt

Mon Apr 12 13:06:55 UTC 2010

Thanks for the info, unfortunately, I can't configure this with
recompiled code, the support team won't support it. I'm going to
revisit this on RHEL6

On Mon, Apr 12, 2010 at 5:33 AM, Daniel Berteaud
<daniel at firewall-services.com> wrote:
> Le mercredi 31 mars 2010 à 16:05 -0400, Cole Robinson a écrit :
>> On 03/29/2010 02:33 PM, JoHann wrote:
>> > I've been scouring the web to try and find directions on how to
>> > configure this on RHEL 5.4 using virt-tools, qemu and KVM.
>> >
>> > Is there a how-to some where I'm missing?
>> >
>> > The libvirt website describes setting up a security configuration in
>> > qemu.conf, though it doesn't go into details on how to configure basic
>> > vs confined.
>> >
>> > I'm also not setting any settings in virt-manager on how to assign a
>> > SELinux label to new VMs. My use case dictates that I can't
>> > auto-assign the labels, though I'm not sure where that setting is
>> > anyways.
>> >
>>
>> There is no svirt in RHEL5, you would need to use newer versions of
>> libvirt at the very least, but the selinux policy bits aren't there
>> either. Unforunately if there are writeups already available from other
>> users, you are on your own.
>
> Hi.
>
> I'm also running el5 as host to run KVM guests (Centos 5.4 x86_64).
>
> I had several problems with SELinux, but didn't want to disable it.
> Finally, here's what I've done to let SELinux in enforcing mode, and KVM
> running:
>
> - manually chcon every guest image like this (I only use LVM for guest
> images, maybe file based are already labeled correctly)
>
> chcon -t virt_image_t /dev/mapper/virt-myguest
>
> - Create a custom SELinux module to allow libvirt to start and save
> guest state to a file (virsh save myguest /path). The module looks like
> this:
>
>
> module qemucustom 1.0;
>
> require {
>        type virt_var_lib_t;
>        type shell_exec_t;
>        type tmp_t;
>        type bin_t;
>        type qemu_t;
>        class lnk_file read;
>        class file { ioctl execute execute_no_trans read getattr append
> write};
>        class dir { write add_name };
>        class sock_file create;
> }
>
> #============= qemu_t ==============
> allow qemu_t bin_t:lnk_file read;
> allow qemu_t shell_exec_t:file { read getattr execute
> execute_no_trans };
> allow qemu_t virt_var_lib_t:dir { write add_name };
> allow qemu_t virt_var_lib_t:file { ioctl append write };
> allow qemu_t virt_var_lib_t:sock_file create;
> allow qemu_t bin_t:file { read getattr execute execute_no_trans };
>
> Just save it as qemucustom.te
> You then need to compile this file:
>
> checkmodule -M -m -o qemucustom.mod qemucustom.te
> semodule_package -o qemucustom.pp -m qemucustom.mod
>
> And load this module each time the host reboot (I load it from /etc/rc.local)
>
> semodule -i /path/to/qemucustom.pp
>
>
> I'm not a SELinux expert, I've just created this using audit2allow while
> SELinux was in permissive mode. I'd really appreciate if some more
> knowledgeable people could comment/enhance this (I'm afraid this module
> allow more than it should, but at least, it works).
>
>
> Of course, it'd be even better if libvirt could integrate a basic
> SELinux driver for hosts where sVirt is not supported (which could
> automatically chcon guest image, etc...).
>
>
> Regards
>
>>
>> - Cole
>>
>>
>> _______________________________________________
>> virt-tools-list mailing list
>> virt-tools-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/virt-tools-list
>
> --
> Daniel Berteaud
> FIREWALL-SERVICES SARL.
> Société de Services en Logiciels Libres
> Technopôle Montesquieu
> 33650 MARTILLAC
> Tel : 05 56 64 15 32
> Fax : 05 56 64 15 32
> Mail: daniel at firewall-services.com
> Web : http://www.firewall-services.com
>
>