Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Use a svirt_nokvm_t type for any TCG based guests|
|Product:||[Fedora] Fedora||Reporter:||Daniel Berrange <berrange>|
|Component:||libvirt||Assignee:||Libvirt Maintainers <libvirt-maint>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||18||CC:||berrange, cfergeau, clalancette, crobinso, dominick.grift, dwalsh, gholms, itamar, jforbes, jyang, laine, libvirt-maint, mgrepl, pbrobinson, rgb033809, veillard, virt-maint|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-01-06 15:13:15 EST||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||885836|
Description Daniel Berrange 2012-12-10 13:38:20 EST
+++ This bug was initially created as a clone of Bug #885836 +++ Description of problem: The current svirt_t type, correctly, refuses to allow the 'execmem' privilege for virtual machines. This is good when using KVM, but for non-native architectures (eg ARM-on-x86) we need to fallback to using QEMU's plain emulator TCG instead of KVM. Due to the nature of the emulator this requires using execmem. Currently we tell users to manually run # setsebool -P virt_use_execmem 1 This sucks because it is systemwide, so reduces confinement of all their VMs, not just the one that requires execmem. I suggest we should have a new type svirt_tcg_t that extends 'svirt_t', just adding the 'execmem' privilege. The /etc/selinux/targeted/contexts/virtual_domain_context file can be extended to have 2 lines, the second listing the new svirt_tcg_t type libvirt's QEMU driver should then be modified to automatically default to 'svirt_tcg_t' when running non-KVM based guest. Then, after a release or two, we can kill off the execmem boolean completely.
Comment 1 Daniel Walsh 2012-12-10 14:02:43 EST
Currently f18 policy has svirt_nokvm_t but no one uses it, I can change this to svirt_tcg_t, and add a line to the virtual_domain_context file.
Comment 2 Daniel Berrange 2012-12-10 14:04:58 EST
Ah, I never knew about that. I don't much mind what it is called as long as it exists :-) Anyway adding it to virtual_domain_context means libvirt is isolated from the actual name
Comment 3 Daniel Walsh 2012-12-10 14:17:40 EST
Fixed in selinux-policy-3.11.1-62.fc18.noarch I switched to using your type svirt_tcg_t and updated the virtual_domain_context I will ask Miroslav to do a build.
Comment 4 Daniel Berrange 2012-12-12 06:49:43 EST
Comment 5 Cole Robinson 2012-12-12 09:59:14 EST
*** Bug 862335 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2012-12-16 15:05:30 EST
libvirt-0.10.2.2-2.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-2.fc18
Comment 7 Cole Robinson 2012-12-16 18:39:08 EST
*** Bug 790526 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2012-12-18 10:18:00 EST
libvirt-0.10.2.2-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-3.fc18
Comment 9 Fedora Update System 2012-12-20 00:38:07 EST
libvirt-0.10.2.2-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.