+++ This bug was initially created as a clone of Bug #885836 +++ Description of problem: The current svirt_t type, correctly, refuses to allow the 'execmem' privilege for virtual machines. This is good when using KVM, but for non-native architectures (eg ARM-on-x86) we need to fallback to using QEMU's plain emulator TCG instead of KVM. Due to the nature of the emulator this requires using execmem. Currently we tell users to manually run # setsebool -P virt_use_execmem 1 This sucks because it is systemwide, so reduces confinement of all their VMs, not just the one that requires execmem. I suggest we should have a new type svirt_tcg_t that extends 'svirt_t', just adding the 'execmem' privilege. The /etc/selinux/targeted/contexts/virtual_domain_context file can be extended to have 2 lines, the second listing the new svirt_tcg_t type libvirt's QEMU driver should then be modified to automatically default to 'svirt_tcg_t' when running non-KVM based guest. Then, after a release or two, we can kill off the execmem boolean completely.
Currently f18 policy has svirt_nokvm_t but no one uses it, I can change this to svirt_tcg_t, and add a line to the virtual_domain_context file.
Ah, I never knew about that. I don't much mind what it is called as long as it exists :-) Anyway adding it to virtual_domain_context means libvirt is isolated from the actual name
Fixed in selinux-policy-3.11.1-62.fc18.noarch I switched to using your type svirt_tcg_t and updated the virtual_domain_context I will ask Miroslav to do a build.
https://www.redhat.com/archives/libvir-list/2012-December/msg00701.html
*** Bug 862335 has been marked as a duplicate of this bug. ***
libvirt-0.10.2.2-2.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-2.fc18
*** Bug 790526 has been marked as a duplicate of this bug. ***
libvirt-0.10.2.2-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/libvirt-0.10.2.2-3.fc18
libvirt-0.10.2.2-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.