[CentOS] SELinux and KVM

Tue Nov 10 03:44:39 UTC 2009
David McGuffey <davidmcguffey at verizon.net>

On Mon, 2009-11-09 at 23:31 +0100, Kai Schaetzl wrote:
> James B. Byrne wrote on Mon, 9 Nov 2009 14:48:50 -0500 (EST):
> 
> > I am afraid I am not seeing the logic behind this sort of install
> > cockup.  If qemu is not supposed to be used at all then why is it
> > even available 
> 
> because you enabled rpmforge and installed qemu. *You* did that, not CentOS. I 
> suppose you were going by some tutorial that isn't quite right (anymore)?
> 
> > =
> > Installing:
> >  kvm                    x86_64    83-105.el5_4.9               updates    828 k
> > Installing for dependencies:
> >  celt051                x86_64    0.5.1.3-0.el5                base        51 k
> >  etherboot-zroms-kvm    x86_64    5.4.4-10.el5.centos          base       126 k
> >  kmod-kvm               x86_64    83-105.el5_4.9               updates    1.2 M
> >  libogg                 x86_64    2:1.1.3-3.el5                base        18 k
> >  log4cpp                x86_64    1.0-4.el5                    base       506 k
> >  mesa-libGLU            x86_64    6.5.1-7.7.el5                base       225 k
> >  qcairo                 x86_64    1.8.7.1-3.el5                base       499 k
> >  qffmpeg-libs           x86_64    0.4.9-0.15.20080908.el5      base       273 k
> >  qpixman                x86_64    0.13.3-4.el5                 base       109 k
> >  qspice-libs            x86_64    0.3.0-39.el5_4.3             updates    228 k
> 
> see any sign of qemu?
> 
> I did the same for virt-manager. Again, no sign of qemu.
> 
> I suggest you go to the centos-virt list, your questions are all virtualization-
> specific. Maybe the archive already helps?
> 
> 
> 
> 
> Kai
> 
Don't be so hard on him.

I did a vanilla install of 5.4 x86_64 and selected 'kvm' as a custom
package during install.  I didn't go to rpmforge and get any other
virtualization tools. kvm and Virtual Machine Manager (the RHEL
graphical interface to libvirt) just worked...created a VM with WinXP
A-OK.

I do get an sealert from qemu-kvm...so qemu must be embedded in whatever
comes with the 'kvm' selection at install time.

I posted the following sealert on the selinux-list:

Summary:

SELinux is preventing qemu-kvm (qemu_t) "read" to sh (bin_t).

Detailed Description:

SELinux denied access requested by qemu-kvm. It is not expected that
this access
is required by qemu-kvm and this access may signal an intrusion attempt.
It is
also possible that the specific version or configuration of the
application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for sh,

restorecon -v 'sh'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context
system_u:system_r:qemu_t:SystemLow-SystemHigh
Target Context                system_u:object_r:bin_t
Target Objects                sh [ lnk_file ]
Source                        qemu-kvm
Source Path                   /usr/libexec/qemu-kvm
Port                          <Unknown>
Host                          desk
Source RPM Packages           kvm-83-105.el5_4.9
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-255.el5_4.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     desk
Platform                      Linux desk 2.6.18-164.6.1.el5 #1 SMP Tue
Nov 3
                              16:12:36 EST 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 09 Nov 2009 09:59:41 PM EST
Last Seen                     Mon 09 Nov 2009 09:59:41 PM EST
Local ID                      f52a188e-0710-4238-86ce-af3beb90c318
Line Numbers                  

Raw Audit Messages            

host=desk type=AVC msg=audit(1257821981.730:53): avc:  denied  { read }
for  pid=4947 comm="qemu-kvm" name="sh" dev=sdc5 ino=3156772
scontext=system_u:system_r:qemu_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file

host=desk type=SYSCALL msg=audit(1257821981.730:53): arch=c000003e
syscall=59 success=no exit=-13 a0=31a311f873 a1=7fff15506380
a2=7fff15509f00 a3=31a3e16220 items=0 ppid=4900 pid=4947 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm"
subj=system_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)

Bottom line is that qemu-kvm is present in the 5.4 x86_64 release. And
there does seem to be a problem with the policy.  Documentation states
one should be able to run a VM as a regular user. Virtual Machine Manger
doesn't have any options to create a VM for a non-root user to run.
Looking at the xml in the /etc/libvirt folder, it is clear that the
permissions of the created images are 0700 and root:root.  I'm probably
going to change those perms to 0660 and root:kvm to see what happens.
sealerts won't stop because I haven't modified the policy or the
extended file attributes, but it should allow me as a regular user as a
member of the kvm group to run the VM.


///////////////////
BTW, I did install yum-priorities and then went to rpmforge to get
mplayer and the gstreamer-plugins.  Got lots of SELinux alerts from the
plugins (see my posts on the selinux-list concerning them).

DaveM