Selinux + qemu + lvm issues

Michael Schenck mschenck at limewire.com
Fri Nov 20 14:45:55 UTC 2009


I could do that, The downside is that this will have to be done for 
every new virtual machine.

- Michael Schenck

On 11/19/2009 06:37 PM, Dominick Grift wrote:
> On Thu, 2009-11-19 at 18:03 -0500, Michael Schenck wrote:
>    
>> I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for
>> storage.  I created this file form audit2allow:
>>
>> module kvm 1.0;
>>
>> require {
>>       type qemu_t;
>>       type fixed_disk_device_t;
>>       class blk_file read;
>>       class blk_file getattr;
>> }
>>
>> allow qemu_t fixed_disk_device_t:blk_file { read getattr };
>>
>> I use this script to load it:
>> #!/bin/sh
>>
>> # Puppet Template
>> # Serial: 2008120401
>>
>> SE_LOCAL=/etc/selinux/local
>>
>> /usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
>> /usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
>> /usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
>>
>> /bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
>>
>> When I try to load it, it fails with the following error:
>> [root at HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
>> /usr/bin/checkmodule:  loading policy configuration from
>> /etc/selinux/local/kvm.te
>> /usr/bin/checkmodule:  policy configuration loaded
>> /usr/bin/checkmodule:  writing binary representation (version 6) to
>> /etc/selinux/local/kvm.mod
>> libsepol.check_assertion_helper: assertion on line 0 violated by allow
>> qemu_t fixed_disk_device_t:blk_file { read };
>> libsepol.check_assertions: 1 assertion violations occured
>> libsemanage.semanage_expand_sandbox: Expand module failed
>> /usr/sbin/semodule:  Failed!
>>
>>
>> Can someone tell me what I'm doing wrong?
>>      
> Why not just label the block device properly like everyone else?
>
> chcon -t virt_image_t /pathto/blk_file
>
>    
>> Best regards,
>> Michael Schenck
>>
>>      
>
>    


-- 
Michael Schenck - Senior Systems Administrator - LimeWire LLC
Phone:   212-775-3046
E-mail:  mschenck at limewire.com




More information about the fedora-selinux-list mailing list