Hide Forgot
Hi Qunfang, You did a good job in [1] to test all selinux policies work. Can you test rhel7? or guide someone to test it? Thanks, Amos [1] https://bugzilla.redhat.com/show_bug.cgi?id=839832#c10
I had tested by myself, clear the needinfo flag.
Hi Miroslav, We add some selinux policy to effect read/write permission of /usr/bin/qemu-ga in guest. How can we enable/disable this single policy (only effect qemu-ga)? enable/disable selinux by changing /etc/sysconfig/selinux will effect all the policies. Thanks, Amos
(In reply to Amos Kong from comment #7) > Hi Miroslav, > > We add some selinux policy to effect read/write permission of > /usr/bin/qemu-ga in guest. > Which one? > How can we enable/disable this single policy (only effect > qemu-ga)? You can add a local policy module with rules. > enable/disable selinux by changing /etc/sysconfig/selinux will > effect all the policies. > > Thanks, Amos
You can do something like semodule -n -i qemuga_local.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi;
[root@localhost ~]# ls -lZ /usr/bin/qemu-ga -rwxr-xr-x. root root system_u:object_r:virt_qemu_ga_exec_t:s0 /usr/bin/qemu-ga * Disable qemu-ga policies by changing qemu-ga security context to default 'bin_t' [root@localhost ~]# chcon -t bin_t /usr/bin/qemu-ga [root@localhost ~]# ls -lZ /usr/bin/qemu-ga -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/qemu-ga * Restart qemu-ga service [root@localhost ~]# service qemu-guest-agent restart * Restore security context to virt_qemu_ga_exec_t, the policies will effect. [root@localhost ~]# restorecon /usr/bin/qemu-ga [root@localhost ~]# ls -lZ /usr/bin/qemu-ga -rwxr-xr-x. root root system_u:object_r:virt_qemu_ga_exec_t:s0 /usr/bin/qemu-ga Actually we need to enable the qemu-ga policies all the time, it both enabled some useful(for security) AVC msg and suppressed some useless (for legal behavior) AVC msg.
I would suggest to make virt_qemu_ga_t policy as permissive if there is a problem. # semanage permissive -a virt_qemu_ga_t will cause nothing is going to be blocked for this type and AVC msgs are generated.
As we talked in maillist, I opened a new selinux bug [1] to add a new boolean to enable/disable the policies of qemu-ga, and we add document by release-note. So close this qemu-kvm doc bug. [1] Bug 1071981 - introduce a SELinux boolean to enable/disable guest file access from qemu-ga