Thanks for the info, unfortunately, I can't configure this with recompiled code, the support team won't support it. I'm going to revisit this on RHEL6
On Mon, Apr 12, 2010 at 5:33 AM, Daniel Berteaud <[email protected]> wrote: > Le mercredi 31 mars 2010 à 16:05 -0400, Cole Robinson a écrit : >> On 03/29/2010 02:33 PM, JoHann wrote: >> > I've been scouring the web to try and find directions on how to >> > configure this on RHEL 5.4 using virt-tools, qemu and KVM. >> > >> > Is there a how-to some where I'm missing? >> > >> > The libvirt website describes setting up a security configuration in >> > qemu.conf, though it doesn't go into details on how to configure basic >> > vs confined. >> > >> > I'm also not setting any settings in virt-manager on how to assign a >> > SELinux label to new VMs. My use case dictates that I can't >> > auto-assign the labels, though I'm not sure where that setting is >> > anyways. >> > >> >> There is no svirt in RHEL5, you would need to use newer versions of >> libvirt at the very least, but the selinux policy bits aren't there >> either. Unforunately if there are writeups already available from other >> users, you are on your own. > > Hi. > > I'm also running el5 as host to run KVM guests (Centos 5.4 x86_64). > > I had several problems with SELinux, but didn't want to disable it. > Finally, here's what I've done to let SELinux in enforcing mode, and KVM > running: > > - manually chcon every guest image like this (I only use LVM for guest > images, maybe file based are already labeled correctly) > > chcon -t virt_image_t /dev/mapper/virt-myguest > > - Create a custom SELinux module to allow libvirt to start and save > guest state to a file (virsh save myguest /path). The module looks like > this: > > > module qemucustom 1.0; > > require { > type virt_var_lib_t; > type shell_exec_t; > type tmp_t; > type bin_t; > type qemu_t; > class lnk_file read; > class file { ioctl execute execute_no_trans read getattr append > write}; > class dir { write add_name }; > class sock_file create; > } > > #============= qemu_t ============== > allow qemu_t bin_t:lnk_file read; > allow qemu_t shell_exec_t:file { read getattr execute > execute_no_trans }; > allow qemu_t virt_var_lib_t:dir { write add_name }; > allow qemu_t virt_var_lib_t:file { ioctl append write }; > allow qemu_t virt_var_lib_t:sock_file create; > allow qemu_t bin_t:file { read getattr execute execute_no_trans }; > > Just save it as qemucustom.te > You then need to compile this file: > > checkmodule -M -m -o qemucustom.mod qemucustom.te > semodule_package -o qemucustom.pp -m qemucustom.mod > > And load this module each time the host reboot (I load it from /etc/rc.local) > > semodule -i /path/to/qemucustom.pp > > > I'm not a SELinux expert, I've just created this using audit2allow while > SELinux was in permissive mode. I'd really appreciate if some more > knowledgeable people could comment/enhance this (I'm afraid this module > allow more than it should, but at least, it works). > > > Of course, it'd be even better if libvirt could integrate a basic > SELinux driver for hosts where sVirt is not supported (which could > automatically chcon guest image, etc...). > > > Regards > >> >> - Cole >> >> >> _______________________________________________ >> virt-tools-list mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/virt-tools-list > > -- > Daniel Berteaud > FIREWALL-SERVICES SARL. > Société de Services en Logiciels Libres > Technopôle Montesquieu > 33650 MARTILLAC > Tel : 05 56 64 15 32 > Fax : 05 56 64 15 32 > Mail: [email protected] > Web : http://www.firewall-services.com > > _______________________________________________ virt-tools-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/virt-tools-list
