[CentOS] SELinux and KVM

Mon Nov 9 15:44:36 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

I am trying to set up a test kvm virtual machine on a core2 quad
system.  I have managed to thread my way through bridging eth0 and I
have a CentOS-5.4 dvd iso prepared.

Using virt-manager, when I try and add a new guest then I get the
error reproduced below.  Now, I know that I can 'fix' this by
building a local mod via audit2allow and installing via semodule. 
However, I cannot seem to find this particular problem when I Google
for it.  Therefore, it seems likely that I have done something wrong
rather than having encountered a bug.

Does anyone have any suggestions as to what step I may have missed
in setting up a kvm guest?  All I have done so far is:

Install qemu. Set libvirtd to start at boot. Bridge eth0 to br0 via
customs ifcfg-X scripts in /etc/sysconfig/network-scripts.  Run
virt-manager.  Add a new guest.


Summary:

SELinux is preventing qemu-system-x86 (qemu_t) "read" to rtc
(clock_device_t).

Detailed Description:

SELinux denied access requested by qemu-system-x86. It is not
expected that this
access is required by qemu-system-x86 and this access may signal an
intrusion
attempt. It is also possible that the specific version or
configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try
to restore
the default system file context for rtc,

restorecon -v 'rtc'

If this does not work, there is currently no automatic way to allow
this access.
Instead, you can generate a local policy module to allow this access
- see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you
can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context               
system_u:system_r:qemu_t:SystemLow-SystemHigh
Target Context                system_u:object_r:clock_device_t
Target Objects                rtc [ chr_file ]
Source                        qemu-system-x86
Source Path                   /usr/bin/qemu-system-x86_64
Port                          <Unknown>
Host                          inet02.hamilton.harte-lyne.ca
Source RPM Packages           qemu-0.9.0-4
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     inet02.hamilton.harte-lyne.ca
Platform                      Linux inet02.hamilton.harte-lyne.ca
2.6.18-164.el5
                              #1 SMP Thu Sep 3 03:28:30 EDT 2009
x86_64 x86_64
Alert Count                   1
First Seen                    Mon 09 Nov 2009 06:28:32 PM EST
Last Seen                     Mon 09 Nov 2009 06:28:32 PM EST
Local ID                      d8ca7ab9-f135-4700-a515-c7b8efba1e27
Line Numbers

Raw Audit Messages

host=inet02.hamilton.harte-lyne.ca type=AVC
msg=audit(1257809312.343:21): avc:  denied  { read } for  pid=4166
comm="qemu-system-x86" name="rtc" dev=tmpfs ino=796
scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file

host=inet02.hamilton.harte-lyne.ca type=SYSCALL
msg=audit(1257809312.343:21): arch=c000003e syscall=2 success=no
exit=-13 a0=4d8b3c a1=0 a2=0 a3=8 items=0 ppid=1 pid=4166
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="qemu-system-x86"
exe="/usr/bin/qemu-system-x86_64"
subj=system_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)





-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3