[CentOS] SELinux and KVM
David McGuffey
davidmcguffey at verizon.net
Tue Nov 10 03:44:39 UTC 2009
On Mon, 2009-11-09 at 23:31 +0100, Kai Schaetzl wrote:
> James B. Byrne wrote on Mon, 9 Nov 2009 14:48:50 -0500 (EST):
>
> > I am afraid I am not seeing the logic behind this sort of install
> > cockup. If qemu is not supposed to be used at all then why is it
> > even available
>
> because you enabled rpmforge and installed qemu. *You* did that, not CentOS. I
> suppose you were going by some tutorial that isn't quite right (anymore)?
>
> > =
> > Installing:
> > kvm x86_64 83-105.el5_4.9 updates 828 k
> > Installing for dependencies:
> > celt051 x86_64 0.5.1.3-0.el5 base 51 k
> > etherboot-zroms-kvm x86_64 5.4.4-10.el5.centos base 126 k
> > kmod-kvm x86_64 83-105.el5_4.9 updates 1.2 M
> > libogg x86_64 2:1.1.3-3.el5 base 18 k
> > log4cpp x86_64 1.0-4.el5 base 506 k
> > mesa-libGLU x86_64 6.5.1-7.7.el5 base 225 k
> > qcairo x86_64 1.8.7.1-3.el5 base 499 k
> > qffmpeg-libs x86_64 0.4.9-0.15.20080908.el5 base 273 k
> > qpixman x86_64 0.13.3-4.el5 base 109 k
> > qspice-libs x86_64 0.3.0-39.el5_4.3 updates 228 k
>
> see any sign of qemu?
>
> I did the same for virt-manager. Again, no sign of qemu.
>
> I suggest you go to the centos-virt list, your questions are all virtualization-
> specific. Maybe the archive already helps?
>
>
>
>
> Kai
>
Don't be so hard on him.
I did a vanilla install of 5.4 x86_64 and selected 'kvm' as a custom
package during install. I didn't go to rpmforge and get any other
virtualization tools. kvm and Virtual Machine Manager (the RHEL
graphical interface to libvirt) just worked...created a VM with WinXP
A-OK.
I do get an sealert from qemu-kvm...so qemu must be embedded in whatever
comes with the 'kvm' selection at install time.
I posted the following sealert on the selinux-list:
Summary:
SELinux is preventing qemu-kvm (qemu_t) "read" to sh (bin_t).
Detailed Description:
SELinux denied access requested by qemu-kvm. It is not expected that
this access
is required by qemu-kvm and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for sh,
restorecon -v 'sh'
If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context
system_u:system_r:qemu_t:SystemLow-SystemHigh
Target Context system_u:object_r:bin_t
Target Objects sh [ lnk_file ]
Source qemu-kvm
Source Path /usr/libexec/qemu-kvm
Port <Unknown>
Host desk
Source RPM Packages kvm-83-105.el5_4.9
Target RPM Packages
Policy RPM selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name desk
Platform Linux desk 2.6.18-164.6.1.el5 #1 SMP Tue
Nov 3
16:12:36 EST 2009 x86_64 x86_64
Alert Count 1
First Seen Mon 09 Nov 2009 09:59:41 PM EST
Last Seen Mon 09 Nov 2009 09:59:41 PM EST
Local ID f52a188e-0710-4238-86ce-af3beb90c318
Line Numbers
Raw Audit Messages
host=desk type=AVC msg=audit(1257821981.730:53): avc: denied { read }
for pid=4947 comm="qemu-kvm" name="sh" dev=sdc5 ino=3156772
scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
host=desk type=SYSCALL msg=audit(1257821981.730:53): arch=c000003e
syscall=59 success=no exit=-13 a0=31a311f873 a1=7fff15506380
a2=7fff15509f00 a3=31a3e16220 items=0 ppid=4900 pid=4947 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
subj=system_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
Bottom line is that qemu-kvm is present in the 5.4 x86_64 release. And
there does seem to be a problem with the policy. Documentation states
one should be able to run a VM as a regular user. Virtual Machine Manger
doesn't have any options to create a VM for a non-root user to run.
Looking at the xml in the /etc/libvirt folder, it is clear that the
permissions of the created images are 0700 and root:root. I'm probably
going to change those perms to 0660 and root:kvm to see what happens.
sealerts won't stop because I haven't modified the policy or the
extended file attributes, but it should allow me as a regular user as a
member of the kvm group to run the VM.
///////////////////
BTW, I did install yum-priorities and then went to rpmforge to get
mplayer and the gstreamer-plugins. Got lots of SELinux alerts from the
plugins (see my posts on the selinux-list concerning them).
DaveM
More information about the CentOS
mailing list