Hi folks, I am working on writing an SELinux policy for the KVM agent so that SELinux can be left enabled.
I'd like to solicit some help. So: If you are running KVM you naturally have SELinux set to disabled or permissive. If you have it set to permissive, and would consider installing my current policy definition - it would be greatly appreciated. What's the impact of you testing my policy? Well nothing right now - you're in permissive mode, and we won't change that during testing, so all you'd be doing is hopefully cutting down on AVC denials in /var/log/messages or in /var/log/audit/audit.log So how do you help: First install the new policy: You can get the current version here: http://people.apache.org/~ke4qqq/cloudstack-agent.pp once you have that on the hypervisor - run: semodule -i cloudstack-agent.pp Make sure you have auditd installed: rpm -q audit should show you whether or not you have audit installed. If not 'yum -y install audit' and 'service auditd start' followed by 'chkconfig auditd on' will get you going. The audit package ensures that all AVCs are logged to a dedicated file (/var/log/audit/audit.log) rather than /var/log/messages. If you already had auditd up and running, lets rotate the logs - that will make it much easier to diagnose problems: service auditd stop mv /var/log/audit/audit.log /var/log/audit/oldaudit.log service auditd start Now go about your business, deploy machines, destroy machines, do weird and wacky things, we are essentially looking for new entries in audit.log to see what we have missed. If your audit log shows up with items in your audit log, please upload them to this bug: https://issues.apache.org/jira/browse/CLOUDSTACK-337 You have questions?? Do they match these below? If not reply to this thread and ask. Wait, are you testing this yourself? Of course I am - I've long since (by which I mean I applied it while writing this) applied this to all of my KVM nodes, however, I have only a small percentage of potential configuration options. Specifically, I am running CloudStack 4.0.1, with KVM on EL6.3, with NFS and local storage and VLANs for isolation. Wait - are you making my KVM hypervisor less secure? Probably not. I mean to begin with you are currently running with SELinux in permissive mode. This is an effort to allow us to turn on SELinux, use sVirt, and have a more secure hypervisor. Still not assuaged? Want to see the source? https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.git/?p=incubator-cloudstack.git;a=blob;f=packaging/centos63/cloudstack-agent.te;h=4259e173a46f93316217b84281556b2b9b92d316;hb=HEAD
