885837 – Use a svirt_nokvm_t type for any TCG based guests

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 885837 - Use a svirt_nokvm_t type for any TCG based guests

Summary: Use a svirt_nokvm_t type for any TCG based guests

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	790526 862335 (view as bug list)
Depends On:	885836
Blocks:	ARMTracker
TreeView+	depends on / blocked

Reported:	2012-12-10 18:38 UTC by Daniel Berrangé
Modified:	2013-01-06 20:13 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	885836
Environment:
Last Closed:	2013-01-06 20:13:15 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Berrangé 2012-12-10 18:38:20 UTC

+++ This bug was initially created as a clone of Bug #885836 +++

Description of problem:
The current svirt_t type, correctly, refuses to allow the 'execmem' privilege for virtual machines. This is good when using KVM, but for non-native architectures (eg ARM-on-x86) we need to fallback to using QEMU's plain emulator TCG instead of KVM. Due to the nature of the emulator this requires using execmem.

Currently we tell users to manually run

  # setsebool -P virt_use_execmem 1

This sucks because it is systemwide, so reduces confinement of all their VMs, not just the one that requires execmem.

I suggest we should have a new type

  svirt_tcg_t

that extends 'svirt_t', just adding the 'execmem' privilege.

The /etc/selinux/targeted/contexts/virtual_domain_context file can be extended to have 2 lines, the second listing the new svirt_tcg_t type

libvirt's QEMU driver should then be modified to automatically default to 'svirt_tcg_t'  when running non-KVM based guest.

Then, after a release or two, we can kill off the execmem boolean completely.

Comment 1 Daniel Walsh 2012-12-10 19:02:43 UTC

Currently f18 policy has svirt_nokvm_t but no one uses it, I can change this to svirt_tcg_t, and add a line to the virtual_domain_context file.

Comment 2 Daniel Berrangé 2012-12-10 19:04:58 UTC

Ah, I never knew about that. I don't much mind what it is called as long as it exists :-)  Anyway adding it to virtual_domain_context means libvirt is isolated from the actual name

Comment 3 Daniel Walsh 2012-12-10 19:17:40 UTC

Fixed in selinux-policy-3.11.1-62.fc18.noarch


I switched to using your type svirt_tcg_t and updated the virtual_domain_context

I will ask Miroslav to do a build.

Comment 4 Daniel Berrangé 2012-12-12 11:49:43 UTC

https://www.redhat.com/archives/libvir-list/2012-December/msg00701.html

Comment 5 Cole Robinson 2012-12-12 14:59:14 UTC

*** Bug 862335 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2012-12-16 20:05:30 UTC

libvirt-0.10.2.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-2.fc18

Comment 7 Cole Robinson 2012-12-16 23:39:08 UTC

*** Bug 790526 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2012-12-18 15:18:00 UTC

libvirt-0.10.2.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-3.fc18

Comment 9 Fedora Update System 2012-12-20 05:38:07 UTC

libvirt-0.10.2.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.