Description of problem: SELinux is generating AVC error messages when trying to create (final step, after clicking Finish) or start a virtual machine, when TLS is enabled in qemu.conf and a properly configured PKI infrastructure exists. The AVCs point towards incorrect contexts on /dev/random, which TLS requires access to for entropy in the encryption mechanisms Version-Release number of selected component (if applicable): Not applicable How reproducible: 100% Steps to Reproduce: 1. Install a RHEL5 update 4 machine (any method) 2. Ensure SELinux is enabled (enforcing) & contexts are set correctly 3. Install kvm/qemu-kvm/virt-manager packages 4. Configure qemu/libvirt per http://virt-manager.org/page/RemoteTLS & http://libvirt.org/remote.html 5. Create a VM using virt-manager. Actual results: The VM fails to start The vm log shows: Fatal: no entropy gathering module detected An AVC message in audit.log: type=AVC msg=audit(1258941984.816:4192): avc: denied { read } for pid=7693 comm="qemu-kvm" name="random" dev=tmpfs ino=7644 scontext=user_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file Expected results: The VM should start cleanly and access to /dev/random should be allowed for entropy to be gathered Additional info: We need to set up the SElinux policy to allow qemu access to both random and urandom when it is using TLS for VNC connections. The reason: qemu-kvm uses gnutls, gnutls depends on libgcrypt. libgcrypt defaults to rndlinux as the random module. ie as described in the documentation for gcrypt : http://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html The way gcrypt works is that it tries first rndlinux - Essentially by design rndlinux needs both /dev/random and /dev/urandom available to work correctly - It guarantees that 16 bytes of entropy is gathered from urandom, the rest gathered from random. IF rndlinux fails to access the rndlinux devices, it tries other devices, and if there are no other random device generators available it will fail with the error message: Fatal: no entropy gathering module detected The bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=505016 has in it a fix that could potentially be applied to RHEL 5 policy.
Miroslav the qemu and svirt policy both need this access as defined in F12.
Fixed in selinux-policy-2.4.6-271.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html