[libvirt] selinux

Dave Allan dallan at redhat.com
Tue Mar 3 20:46:41 UTC 2009 

Michael Kress wrote:
> Hi! What do I have to do to get qemu-kvm to run with selinux running
> with enforcing policy?
> I get these messages when I enable this policy:
> Mar  3 20:56:23 matrix kernel: [ 8972.482746] device vnet0 entered
> promiscuous mode
> Mar  3 20:56:23 matrix kernel: [ 8972.898943] br0: port 2(vnet0)
> entering learning state
> Mar  3 20:56:23 matrix kernel: [ 8972.901957] type=1400
> audit(1236110183.820:20): avc:  denied  { execmem } for  pid=6376
> comm="kvm" scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=process
> Mar  3 20:56:23 matrix kernel: [ 8973.161318] type=1400
> audit(1236110183.832:21): avc:  denied  { append } for  pid=6379
> comm="ifup" name="ifstate" dev=sda1 ino=1376380
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
> Mar  3 20:56:23 matrix kernel: [ 8973.188371] br0: port 2(vnet0)
> entering disabled state
> Mar  3 20:56:23 matrix kernel: [ 8973.203666] device vnet0 left
> promiscuous mode
> Mar  3 20:56:23 matrix kernel: [ 8973.203675] br0: port 2(vnet0)
> entering disabled state
> Mar  3 20:56:23 matrix libvirtd: Received signal 17, dispatching to drivers
> Mar  3 20:56:23 matrix libvirtd: Received signal 17, dispatching to drivers
> Mar  3 20:56:23 matrix kernel: [ 8973.216362] type=1400
> audit(1236110183.880:22): avc:  denied  { append } for  pid=6387
> comm="ifdown" name="ifstate" dev=sda1 ino=1376380
> scontext=system_u:system_r:udev_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
> 
> I've tried to set the type:
> chcon -t virt_image_t a01.img
> but all I got was:
> chcon: failed to change context of `a01.img' to
> `system_u:object_r:virt_image_t:s0': Invalid argument
> The host is a debian 5.0 machine.

That's the correct command to set the context for a disk image.  It 
sounds to me like that context does not exist on your system.  I'll let 
someone with more selinux knowledge than I have speak to how you might 
fix the problem.

Dave

More information about the libvir-list mailing list