Selinux + qemu + lvm issues

[Dominick Grift]

On Thu, 2009-11-19 at 18:03 -0500, Michael Schenck wrote:
> I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for 
> storage.  I created this file form audit2allow:
> 
> module kvm 1.0;
> 
> require {
>      type qemu_t;
>      type fixed_disk_device_t;
>      class blk_file read;
>      class blk_file getattr;
> }
> 
> allow qemu_t fixed_disk_device_t:blk_file { read getattr };
> 
> I use this script to load it:
> #!/bin/sh
> 
> # Puppet Template
> # Serial: 2008120401
> 
> SE_LOCAL=/etc/selinux/local
> 
> /usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
> /usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
> /usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
> 
> /bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
> 
> When I try to load it, it fails with the following error:
> [root at HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
> /usr/bin/checkmodule:  loading policy configuration from 
> /etc/selinux/local/kvm.te
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 6) to 
> /etc/selinux/local/kvm.mod
> libsepol.check_assertion_helper: assertion on line 0 violated by allow 
> qemu_t fixed_disk_device_t:blk_file { read };
> libsepol.check_assertions: 1 assertion violations occured
> libsemanage.semanage_expand_sandbox: Expand module failed
> /usr/sbin/semodule:  Failed!
> 
> 
> Can someone tell me what I'm doing wrong?

Why not just label the block device properly like everyone else?

chcon -t virt_image_t /pathto/blk_file

> Best regards,
> Michael Schenck
>