Michael Kress wrote:
Hi! What do I have to do to get qemu-kvm to run with selinux running
with enforcing policy?
I get these messages when I enable this policy:
Mar 3 20:56:23 matrix kernel: [ 8972.482746] device vnet0 entered
promiscuous mode
Mar 3 20:56:23 matrix kernel: [ 8972.898943] br0: port 2(vnet0)
entering learning state
Mar 3 20:56:23 matrix kernel: [ 8972.901957] type=1400
audit(1236110183.820:20): avc: denied { execmem } for pid=6376
comm="kvm" scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
Mar 3 20:56:23 matrix kernel: [ 8973.161318] type=1400
audit(1236110183.832:21): avc: denied { append } for pid=6379
comm="ifup" name="ifstate" dev=sda1 ino=1376380
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Mar 3 20:56:23 matrix kernel: [ 8973.188371] br0: port 2(vnet0)
entering disabled state
Mar 3 20:56:23 matrix kernel: [ 8973.203666] device vnet0 left
promiscuous mode
Mar 3 20:56:23 matrix kernel: [ 8973.203675] br0: port 2(vnet0)
entering disabled state
Mar 3 20:56:23 matrix libvirtd: Received signal 17, dispatching to drivers
Mar 3 20:56:23 matrix libvirtd: Received signal 17, dispatching to drivers
Mar 3 20:56:23 matrix kernel: [ 8973.216362] type=1400
audit(1236110183.880:22): avc: denied { append } for pid=6387
comm="ifdown" name="ifstate" dev=sda1 ino=1376380
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
I've tried to set the type:
chcon -t virt_image_t a01.img
but all I got was:
chcon: failed to change context of `a01.img' to
`system_u:object_r:virt_image_t:s0': Invalid argument
The host is a debian 5.0 machine.
That's the correct command to set the context for a disk image. It
sounds to me like that context does not exist on your system. I'll let
someone with more selinux knowledge than I have speak to how you might
fix the problem.
Dave