[CentOS] SELinux and KVM

James B. Byrne byrnejb at harte-lyne.ca
Mon Nov 9 15:44:36 UTC 2009

I am trying to set up a test kvm virtual machine on a core2 quad
system.  I have managed to thread my way through bridging eth0 and I
have a CentOS-5.4 dvd iso prepared.

Using virt-manager, when I try and add a new guest then I get the
error reproduced below.  Now, I know that I can 'fix' this by
building a local mod via audit2allow and installing via semodule. 
However, I cannot seem to find this particular problem when I Google
for it.  Therefore, it seems likely that I have done something wrong
rather than having encountered a bug.

Does anyone have any suggestions as to what step I may have missed
in setting up a kvm guest?  All I have done so far is:

Install qemu. Set libvirtd to start at boot. Bridge eth0 to br0 via
customs ifcfg-X scripts in /etc/sysconfig/network-scripts.  Run
virt-manager.  Add a new guest.


SELinux is preventing qemu-system-x86 (qemu_t) "read" to rtc

Detailed Description:

SELinux denied access requested by qemu-system-x86. It is not
expected that this
access is required by qemu-system-x86 and this access may signal an
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try
to restore
the default system file context for rtc,

restorecon -v 'rtc'

If this does not work, there is currently no automatic way to allow
this access.
Instead, you can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you
can disable
SELinux protection altogether. Disabling SELinux protection is not
Please file a bug report
against this package.

Additional Information:

Source Context               
Target Context                system_u:object_r:clock_device_t
Target Objects                rtc [ chr_file ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          inet02.hamilton.harte-lyne.ca
Source RPM Packages           qemu-0.9.0-4
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     inet02.hamilton.harte-lyne.ca
Platform                      Linux inet02.hamilton.harte-lyne.ca
                              #1 SMP Thu Sep 3 03:28:30 EDT 2009
x86_64 x86_64
Alert Count                   1
First Seen                    Mon 09 Nov 2009 06:28:32 PM EST
Last Seen                     Mon 09 Nov 2009 06:28:32 PM EST
Local ID                      d8ca7ab9-f135-4700-a515-c7b8efba1e27
Line Numbers

Raw Audit Messages

host=inet02.hamilton.harte-lyne.ca type=AVC
msg=audit(1257809312.343:21): avc:  denied  { read } for  pid=4166
comm="qemu-system-x86" name="rtc" dev=tmpfs ino=796
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file

host=inet02.hamilton.harte-lyne.ca type=SYSCALL
msg=audit(1257809312.343:21): arch=c000003e syscall=2 success=no
exit=-13 a0=4d8b3c a1=0 a2=0 a3=8 items=0 ppid=1 pid=4166
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="qemu-system-x86"
subj=system_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)

***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the CentOS mailing list