Selinux + qemu + lvm issues

Dominick Grift domg472 at gmail.com
Fri Nov 20 14:51:21 UTC 2009 

On 11/20/2009 03:45 PM, Michael Schenck wrote:
> I could do that, The downside is that this will have to be done for
> every new virtual machine.

in current fedora and el6 it get done automatically. i heard someone
mention that this feature may also get implemented in a future el5 update.

until then its best to semanage / chcon , virt_image_t

> - Michael Schenck
> 
> On 11/19/2009 06:37 PM, Dominick Grift wrote:
>> On Thu, 2009-11-19 at 18:03 -0500, Michael Schenck wrote:
>>   
>>> I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for
>>> storage.  I created this file form audit2allow:
>>>
>>> module kvm 1.0;
>>>
>>> require {
>>>       type qemu_t;
>>>       type fixed_disk_device_t;
>>>       class blk_file read;
>>>       class blk_file getattr;
>>> }
>>>
>>> allow qemu_t fixed_disk_device_t:blk_file { read getattr };
>>>
>>> I use this script to load it:
>>> #!/bin/sh
>>>
>>> # Puppet Template
>>> # Serial: 2008120401
>>>
>>> SE_LOCAL=/etc/selinux/local
>>>
>>> /usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
>>> /usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
>>> /usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
>>>
>>> /bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
>>>
>>> When I try to load it, it fails with the following error:
>>> [root at HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
>>> /usr/bin/checkmodule:  loading policy configuration from
>>> /etc/selinux/local/kvm.te
>>> /usr/bin/checkmodule:  policy configuration loaded
>>> /usr/bin/checkmodule:  writing binary representation (version 6) to
>>> /etc/selinux/local/kvm.mod
>>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>>> qemu_t fixed_disk_device_t:blk_file { read };
>>> libsepol.check_assertions: 1 assertion violations occured
>>> libsemanage.semanage_expand_sandbox: Expand module failed
>>> /usr/sbin/semodule:  Failed!
>>>
>>>
>>> Can someone tell me what I'm doing wrong?
>>>      
>> Why not just label the block device properly like everyone else?
>>
>> chcon -t virt_image_t /pathto/blk_file
>>
>>   
>>> Best regards,
>>> Michael Schenck
>>>
>>>      
>>
>>    
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091120/fd80399a/attachment.sig>

More information about the fedora-selinux-list mailing list