Daniel P. Berrange
berrange at redhat.com
Wed Mar 4 11:22:24 UTC 2009
On Tue, Mar 03, 2009 at 09:04:19PM +0100, Michael Kress wrote:
> Hi! What do I have to do to get qemu-kvm to run with selinux running
> with enforcing policy?
> I've tried to set the type:
> chcon -t virt_image_t a01.img
> but all I got was:
> chcon: failed to change context of `a01.img' to
> `system_u:object_r:virt_image_t:s0': Invalid argument
> The host is a debian 5.0 machine.
I'm not sure how it works in Debian, but I'll outline the way it does
in Fedora. I believe all our SELinux policy bits for virt are in the
upstream SELinux reference policy, so available to Debian too.
First if you run libvirtd or qemu directly, it won't be confined at all,
so you have to start from the init script.
The /etc/init.d/libvirtd script is labelled with:
With the policy transition rules, this means that when you start
libvirtd via the '/etc/init.d/libvirtd start, it'll transition
$ ps -axuwfZ | grep libvirtd
unconfined_u:system_r:virtd_t:s0 root 6249 0.0 0.0 65960 660 ? Sl Feb23 0:15 libvirtd --daemon
Now that has libvirtd running in virtd_t domain.
Next, the /usr/bin/qemu, /usr/bin/qemu-kvm and /usr/bin/qemu-system-*
binaries must all be labelled system_u:object_r:qemu_exec_t:s0
When a qemu binary is launched by a program running in virtd_t, it
will thus transition to system_u:system_r:qemu_t:s0
Thus QEMU is now confined.
Finally, when confined, QEMU needs to access its disks, so these must
all be labelled system_u:object_r:virt_image_t:s0
# ls -lZ /var/lib/libvirt/images/
-rwxr-xr-x. root root system_u:object_r:virt_image_t:s0 demo2.img
This basically protects the host OS from guest VMs.
With the sVirt support that was committed to libvirt yesterday, we can
also now protect guest VMs from each other.
What happens is that each VM runs with a dynamically generated MCS (?)
level, and is thus isolated from VMs with different levels
On my F11 system, you'll thus see VMs running with contexts like
With disks images automatically labelled to match
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list