Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 790526
Summary: | qemu-system-arm denied execmem when run through libvirt | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Garrett Holmstrom <gholms> |
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> |
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 17 | CC: | berrange, chemobejk, clalancette, crobinso, dominick.grift, dougsland, dwalsh, itamar, jforbes, jyang, laine, libvirt-maint, mgrepl, pbrobinson, veillard, virt-maint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-16 23:39:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 245418 |
Description
Garrett Holmstrom
2012-02-14 18:47:33 UTC
Reproduced also under F17: qemu-system-arm-1.0-9.fc17.x86_64 selinux-policy-3.10.0-104.fc17.noarch selinux-policy-targeted-3.10.0-104.fc17.noarch Mar 23 18:22:50 stefanb-lnx kernel: [69217.595416] type=1400 audit(1332519770.482:36): avc: denied { execmem } for pid=25968 comm="qemu-system-arm" scontext=system_u:system_r:svirt_t:s0:c242,c604 tcontext=system_u:system_r:svirt_t:s0:c242,c604 tclass=process This seems to be the only thing needed to get this working. I don't see any other AVCs when I use "setenforce 0". Should this be fixed in the policy or should qemu-system-arm install a SELinux module? No what we want here is libvirt to launch qemu that requires an execmem, to use a different label. Maybe we could add this to cat /etc/selinux/targeted/contexts/virtual_domain_context system_u:system_r:svirt_t:s0 system_u:system_r:svirt_execmem_t:s0 Or fix the format of this file to contain both labels. standard system_u:system_r:svirt_t:s0 execmem system_u:system_r:svirt_execmem_t:s0 Or we could being to label the qemu executables differently and have libvirt ask how to execute them We could write rules that says virtd_t executeing qemu_exec_t runs it as svirt_t, virtd_t executing qemu_execmem_exec_t executes it as svirt_exec_t. Then libvirt could ask the kernel what type it should execute qemu with. That way we could start to get real fancy with the policy and the virtd would not need to change in the future. Tested on F17: - the default "deny_execmem --> off" allows users to run qemu_system_arm from the command line. - the default "virt_use_execmem --> off" prevents virt-manager/libvirt to run qemu_system_arm. After "setsebool virt_use_execmem on" ARM VMs run OK in virt-manager, i.e. you don't have to use "setenforce 0" as suggested by the Wiki page. We have libvirt support for this, but backporting it isn't a clean backport to F17. Since there is a workaround with selinux booleans, I'm just gonna say this is WONTFIX for F17. Duping to the F18 bug *** This bug has been marked as a duplicate of bug 885837 *** |