Selinux + qemu + lvm issues
Michael Schenck
mschenck at limewire.com
Fri Nov 20 14:45:55 UTC 2009
I could do that, The downside is that this will have to be done for
every new virtual machine.
- Michael Schenck
On 11/19/2009 06:37 PM, Dominick Grift wrote:
> On Thu, 2009-11-19 at 18:03 -0500, Michael Schenck wrote:
>
>> I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for
>> storage. I created this file form audit2allow:
>>
>> module kvm 1.0;
>>
>> require {
>> type qemu_t;
>> type fixed_disk_device_t;
>> class blk_file read;
>> class blk_file getattr;
>> }
>>
>> allow qemu_t fixed_disk_device_t:blk_file { read getattr };
>>
>> I use this script to load it:
>> #!/bin/sh
>>
>> # Puppet Template
>> # Serial: 2008120401
>>
>> SE_LOCAL=/etc/selinux/local
>>
>> /usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
>> /usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
>> /usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
>>
>> /bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
>>
>> When I try to load it, it fails with the following error:
>> [root at HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
>> /usr/bin/checkmodule: loading policy configuration from
>> /etc/selinux/local/kvm.te
>> /usr/bin/checkmodule: policy configuration loaded
>> /usr/bin/checkmodule: writing binary representation (version 6) to
>> /etc/selinux/local/kvm.mod
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> qemu_t fixed_disk_device_t:blk_file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> /usr/sbin/semodule: Failed!
>>
>>
>> Can someone tell me what I'm doing wrong?
>>
> Why not just label the block device properly like everyone else?
>
> chcon -t virt_image_t /pathto/blk_file
>
>
>> Best regards,
>> Michael Schenck
>>
>>
>
>
--
Michael Schenck - Senior Systems Administrator - LimeWire LLC
Phone: 212-775-3046
E-mail: mschenck at limewire.com
More information about the selinux
mailing list