Bug 433672 - qemu-kvm throws lots of AVCs running WinXP....
Summary: qemu-kvm throws lots of AVCs running WinXP....
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-20 19:37 UTC by Tom London
Modified: 2008-02-26 21:39 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-26 21:39:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
AVCs from "qemu-kvm" of WinXP gtuest (14.34 KB, text/plain)
2008-02-20 19:38 UTC, Tom London
no flags Details

Description Tom London 2008-02-20 19:37:13 UTC
Description of problem:
Running selinux-policy-targeted-3.2.8-2.fc9.noarch targeted/permissive, I get
the following running a WinXP image (AVCs attached):

#============= qemu_t ==============
allow qemu_t http_port_t:tcp_socket name_connect;
allow qemu_t inaddr_any_node_t:udp_socket node_bind;
allow qemu_t kerberos_port_t:tcp_socket name_connect;
allow qemu_t ldap_port_t:tcp_socket name_connect;
allow qemu_t port_t:tcp_socket name_connect;
allow qemu_t reserved_port_t:tcp_socket name_connect;
allow qemu_t self:udp_socket { write bind create read getattr };
allow qemu_t smbd_port_t:tcp_socket name_connect;

I suspect there will be more, as I "exercise" the WinXP guest.

What I did: ran "qemu-kvm -m 400 image", logged in to windows domain, started
outlook, started browser (IE, sigh).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Start guest: qemu-kvm -m 400 image
2.  login to domain
3.  start Outlook, start browser
Actual results:

Expected results:

Additional info:

Comment 1 Tom London 2008-02-20 19:38:16 UTC
Created attachment 295443 [details]
AVCs from "qemu-kvm" of WinXP gtuest

Comment 2 Daniel Walsh 2008-02-20 21:36:52 UTC
So I guess we need a boolean that says we are allowed to connect to anyport. 
This is interesting though.  Since we can begin to confine WinXP with
qemu/selinux.  If I want to write the policy equivalent of xguest for XP, I
would write a policy that runs qemu in a domain that is only allowed to connect
to the http ports/dns/ftp ports.

SELinux confining Windows...

Comment 3 Daniel Walsh 2008-02-20 21:40:08 UTC
What kind of networking did you setup to get this?

Comment 4 Tom London 2008-02-20 21:45:53 UTC
We'll have to call it SEWindows..... Wonder if they've already locked in a
trademark for that .... ;)

Comment 5 Tom London 2008-02-20 21:53:23 UTC
Network setup..... I believe I'm using whatever is the default.

The XP guest thinks it is connected to

The host is running on

I don't think I've ever specified any "-net" options..... Thinks the device is a
RealTek rtl8139.

I presume it is NAT-ing, but not sure.

Comment 6 Daniel Walsh 2008-02-26 21:39:54 UTC
allow_qemu_full_network boolean available in 


Note You need to log in before you can comment on or make changes to this bug.