Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 885836 - Create a svirt_tcg_t type extending svirt_t to allow execmem
Summary: Create a svirt_tcg_t type extending svirt_t to allow execmem
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 885837
TreeView+ depends on / blocked
 
Reported: 2012-12-10 18:36 UTC by Daniel Berrangé
Modified: 2013-04-01 18:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 885837 (view as bug list)
Environment:
Last Closed: 2013-04-01 18:38:55 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Daniel Berrangé 2012-12-10 18:36:59 UTC 
Description of problem:
The current svirt_t type, correctly, refuses to allow the 'execmem' privilege for virtual machines. This is good when using KVM, but for non-native architectures (eg ARM-on-x86) we need to fallback to using QEMU's plain emulator TCG instead of KVM. Due to the nature of the emulator this requires using execmem.

Currently we tell users to manually run

  # setsebool -P virt_use_execmem 1

This sucks because it is systemwide, so reduces confinement of all their VMs, not just the one that requires execmem.

I suggest we should have a new type

  svirt_tcg_t

that extends 'svirt_t', just adding the 'execmem' privilege.

The /etc/selinux/targeted/contexts/virtual_domain_context file can be extended to have 2 lines, the second listing the new svirt_tcg_t type

libvirt's QEMU driver should then be modified to automatically default to 'svirt_tcg_t'  when running non-KVM based guest.

Then, after a release or two, we can kill off the execmem boolean completely.
Comment 1 Daniel Walsh 2012-12-10 19:43:02 UTC 
Fixed in selinux-policy-3.11.1-62.fc18.noarch


I switched to using your type svirt_tcg_t and updated the virtual_domain_context

I will ask Miroslav to do a build.

You can try this out on your machine now.

#  cat myvirt.te
policy_module(myvirt,1.0)
gen_require(`
role system_r;
')

virt_domain_template(svirt_tcg)
role system_r types svirt_tcg_t;

allow svirt_tcg_t self:process { execmem execstack };
corenet_udp_sendrecv_generic_if(svirt_tcg_t)
corenet_udp_sendrecv_generic_node(svirt_tcg_t)
corenet_udp_sendrecv_all_ports(svirt_tcg_t)
corenet_udp_bind_generic_node(svirt_tcg_t)
corenet_udp_bind_all_ports(svirt_tcg_t)
corenet_tcp_bind_all_ports(svirt_tcg_t)
corenet_tcp_connect_all_ports(svirt_tcg_t)

# make -f /usr/share/selinux/devel/Makefile myvirt.pp
# semodule -i myvirt.pp
Comment 2 Daniel Berrangé 2012-12-12 11:46:28 UTC 
This seems to work ok when libvirtd is running 'virtd_t', but it doesn't work if libvirtd is 'unconfined_t'.  IIRC, we put in a special case to allow a transition from unconfined_t -> svirt_t, so we need the same for svirt_tcg_t.
Comment 3 Daniel Walsh 2012-12-13 15:28:25 UTC 
Yup I got to fix the virt_transition_svirt interface to include all virt_domains, not just svirt_t.
Comment 4 Cole Robinson 2012-12-16 19:07:27 UTC 
(In reply to comment #1)
> Fixed in selinux-policy-3.11.1-62.fc18.noarch
> 
> 
> I switched to using your type svirt_tcg_t and updated the
> virtual_domain_context
> 

Actually it doesn't look like virtual_domain_context was updated. There's a commit that claims it does just that, but:

$ rpm -q selinux-policy-targeted
selinux-policy-targeted-3.11.1-62.fc18.noarch
$ cat /etc/selinux/targeted/contexts/virtual_domain_context
system_u:system_r:svirt_t:s0

Please also make that change in F17 as well
Comment 5 Miroslav Grepl 2012-12-16 20:09:41 UTC 
Yes, you are right. It is going to be fixed.
Comment 6 Miroslav Grepl 2012-12-16 23:05:03 UTC 
Fixed in selinux-policy-3.11.1-65.fc18
Note You need to log in before you can comment on or make changes to this bug.