Bug 885837

Summary: Use a svirt_nokvm_t type for any TCG based guests
Product: [Fedora] Fedora Reporter: Daniel Berrangé <berrange>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: berrange, cfergeau, clalancette, crobinso, dominick.grift, dwalsh, gholms, itamar, jforbes, jyang, laine, libvirt-maint, mgrepl, pbrobinson, rgb033809, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 885836 Environment:
Last Closed: 2013-01-06 20:13:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 885836    
Bug Blocks: 245418    

Description Daniel Berrangé 2012-12-10 18:38:20 UTC 
+++ This bug was initially created as a clone of Bug #885836 +++

Description of problem:
The current svirt_t type, correctly, refuses to allow the 'execmem' privilege for virtual machines. This is good when using KVM, but for non-native architectures (eg ARM-on-x86) we need to fallback to using QEMU's plain emulator TCG instead of KVM. Due to the nature of the emulator this requires using execmem.

Currently we tell users to manually run

  # setsebool -P virt_use_execmem 1

This sucks because it is systemwide, so reduces confinement of all their VMs, not just the one that requires execmem.

I suggest we should have a new type

  svirt_tcg_t

that extends 'svirt_t', just adding the 'execmem' privilege.

The /etc/selinux/targeted/contexts/virtual_domain_context file can be extended to have 2 lines, the second listing the new svirt_tcg_t type

libvirt's QEMU driver should then be modified to automatically default to 'svirt_tcg_t'  when running non-KVM based guest.

Then, after a release or two, we can kill off the execmem boolean completely.
Comment 1 Daniel Walsh 2012-12-10 19:02:43 UTC 
Currently f18 policy has svirt_nokvm_t but no one uses it, I can change this to svirt_tcg_t, and add a line to the virtual_domain_context file.
Comment 2 Daniel Berrangé 2012-12-10 19:04:58 UTC 
Ah, I never knew about that. I don't much mind what it is called as long as it exists :-)  Anyway adding it to virtual_domain_context means libvirt is isolated from the actual name
Comment 3 Daniel Walsh 2012-12-10 19:17:40 UTC 
Fixed in selinux-policy-3.11.1-62.fc18.noarch


I switched to using your type svirt_tcg_t and updated the virtual_domain_context

I will ask Miroslav to do a build.
Comment 4 Daniel Berrangé 2012-12-12 11:49:43 UTC 
https://www.redhat.com/archives/libvir-list/2012-December/msg00701.html
Comment 5 Cole Robinson 2012-12-12 14:59:14 UTC 
*** Bug 862335 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2012-12-16 20:05:30 UTC 
libvirt-0.10.2.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-2.fc18
Comment 7 Cole Robinson 2012-12-16 23:39:08 UTC 
*** Bug 790526 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2012-12-18 15:18:00 UTC 
libvirt-0.10.2.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-3.fc18
Comment 9 Fedora Update System 2012-12-20 05:38:07 UTC 
libvirt-0.10.2.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.