Re: [libvirt] selinux
Dave Allan wrote:
Michael Kress wrote:
> I've tried to set the type:
> chcon -t virt_image_t a01.img
> but all I got was:
> chcon: failed to change context of `a01.img' to
> `system_u:object_r:virt_image_t:s0': Invalid argument
> The host is a debian 5.0 machine.
That's the correct command to set the context for a disk image. It
sounds to me like that context does not exist on your system. I'll
let someone with more selinux knowledge than I have speak to how you
might fix the problem.
Hi, as I'm new to debian and also to SELINUX, I was a bit lost, but
reading some manuals and howtos, I found out that virt_image_t d
obviously only exists in RH derivates. (I'm a CentOS addict, I should
know. Lack of knowledge about SELINUX is my excuse.).
So here's what I did in order to build a policy package file for kvm
(i.e. kvm.pp ) and what I'd like to share with you. If you have any
suggestions, please let me know. All this applies to debian 5.0, haven't
tried it anywhere else.
1) I put the messages I posted before in /root/delme.txt
2) Now find out the requirements for kvm, i.e. analyze the error
messages during kvm startup:
audit2allow -i /root/delme.txt
#============= initrc_t ==============
allow initrc_t self:process execmem;
#============= udev_t ==============
allow udev_t etc_t:file append;
(time to get rid of /root/delme.txt ..... rm /root/delme.txt )
3) create file kvm.fc:
# kvm executable will have:
# label: system_u:object_r:kvm_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
/usr/bin/kvm -- gen_context(system_u:object_r:kvm_exec_t,s0)
4) create file kvm.if:
## <summary>kvm policy</summary>
## <desc>
## <p>
## kvm policy for selinux
## </p>
## </desc>
#
########################################
## <summary>
## Execute a domain transition to run kvm.
## </summary>
## <param name="domain">
## Domain allowed to transition.
## </param>
#
interface(`kvm_domtrans',`
gen_require(`
type kvm_t, kvm_exec_t;
')
domain_auto_trans($1,kvm_exec_t,kvm_t)
allow $1 kvm_t:fd use;
allow kvm_t $1:fd use;
allow $1 kvm_t:fifo_file rw_file_perms;
allow $1 kvm_t:process sigchld;
')
5) create file kvm.te:
policy_module(kvm,1.0.0)
# Declarations
require {
type initrc_t;
class process { execmem };
type udev_t;
class file { append };
type etc_t;
class file { append };
}
type kvm_t;
type kvm_exec_t;
domain_type(kvm_t)
domain_entry_file(kvm_t, kvm_exec_t)
# kvm local policy
allow initrc_t self:process execmem;
allow udev_t etc_t:file append;
6) create file Makefile:
# installation paths
AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }'
/etc/selinux/config))
MLSENABLED := $(shell cat /selinux/mls)
ifeq ($(MLSENABLED),)
MLSENABLED := 1
endif
ifeq ($(MLSENABLED),1)
MCSFLAG=-mcs
endif
ifeq ($(NAME), mls)
NAME = strict
MCSFLAG = -mls
endif
TYPE ?= $(NAME)${MCSFLAG}
HEADERDIR := /usr/share/selinux/default/include
include $(HEADERDIR)/Makefile
7) make
8) semodule -i kvm.pp
9) semodule -l|grep kvm
kvm 1.0.0
10) virsh start myvirtualmachine
Important: All has to be in one directory. You should use one directory
per policy as the Makefile would compile all *.te files.
Hope this helps you guys playing with selinux.
Regards
Michael
--
Michael Kress, kress(a)hal.saar.de
http://www.michael-kress.de / http://kress.net
P E N G U I N S A R E C O O L