Selinux + qemu + lvm issues

Daniel J Walsh dwalsh at redhat.com
Fri Nov 20 14:58:04 UTC 2009


On 11/20/2009 09:51 AM, Dominick Grift wrote:
> On 11/20/2009 03:45 PM, Michael Schenck wrote:
>> I could do that, The downside is that this will have to be done for
>> every new virtual machine.
> 
> in current fedora and el6 it get done automatically. i heard someone
> mention that this feature may also get implemented in a future el5 update.
> 
> until then its best to semanage / chcon , virt_image_t
> 
>> - Michael Schenck
>>
>> On 11/19/2009 06:37 PM, Dominick Grift wrote:
>>> On Thu, 2009-11-19 at 18:03 -0500, Michael Schenck wrote:
>>>   
>>>> I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for
>>>> storage.  I created this file form audit2allow:
>>>>
>>>> module kvm 1.0;
>>>>
>>>> require {
>>>>       type qemu_t;
>>>>       type fixed_disk_device_t;
>>>>       class blk_file read;
>>>>       class blk_file getattr;
>>>> }
>>>>
>>>> allow qemu_t fixed_disk_device_t:blk_file { read getattr };
>>>>
>>>> I use this script to load it:
>>>> #!/bin/sh
>>>>
>>>> # Puppet Template
>>>> # Serial: 2008120401
>>>>
>>>> SE_LOCAL=/etc/selinux/local
>>>>
>>>> /usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
>>>> /usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
>>>> /usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
>>>>
>>>> /bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
>>>>
>>>> When I try to load it, it fails with the following error:
>>>> [root at HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
>>>> /usr/bin/checkmodule:  loading policy configuration from
>>>> /etc/selinux/local/kvm.te
>>>> /usr/bin/checkmodule:  policy configuration loaded
>>>> /usr/bin/checkmodule:  writing binary representation (version 6) to
>>>> /etc/selinux/local/kvm.mod
>>>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>>>> qemu_t fixed_disk_device_t:blk_file { read };
>>>> libsepol.check_assertions: 1 assertion violations occured
>>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>>> /usr/sbin/semodule:  Failed!
>>>>
>>>>
>>>> Can someone tell me what I'm doing wrong?
>>>>      
>>> Why not just label the block device properly like everyone else?
>>>
>>> chcon -t virt_image_t /pathto/blk_file
>>>
>>>   
>>>> Best regards,
>>>> Michael Schenck
>>>>
>>>>      
>>>
>>>    
>>
>>
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yes if you run virtual machine on blk devices currently in RHEL5 you will need to label the blk devices.   svirt does this automatically in F11 and beyond and in RHEL6.  We are hoping to get the functionality back into RHEL5.6.




More information about the selinux mailing list