Red Hat Bugzilla – Bug 885837
Use a svirt_nokvm_t type for any TCG based guests
Last modified: 2013-01-06 15:13:15 EST
+++ This bug was initially created as a clone of Bug #885836 +++
Description of problem:
The current svirt_t type, correctly, refuses to allow the 'execmem' privilege for virtual machines. This is good when using KVM, but for non-native architectures (eg ARM-on-x86) we need to fallback to using QEMU's plain emulator TCG instead of KVM. Due to the nature of the emulator this requires using execmem.
Currently we tell users to manually run
# setsebool -P virt_use_execmem 1
This sucks because it is systemwide, so reduces confinement of all their VMs, not just the one that requires execmem.
I suggest we should have a new type
that extends 'svirt_t', just adding the 'execmem' privilege.
The /etc/selinux/targeted/contexts/virtual_domain_context file can be extended to have 2 lines, the second listing the new svirt_tcg_t type
libvirt's QEMU driver should then be modified to automatically default to 'svirt_tcg_t' when running non-KVM based guest.
Then, after a release or two, we can kill off the execmem boolean completely.
Currently f18 policy has svirt_nokvm_t but no one uses it, I can change this to svirt_tcg_t, and add a line to the virtual_domain_context file.
Ah, I never knew about that. I don't much mind what it is called as long as it exists :-) Anyway adding it to virtual_domain_context means libvirt is isolated from the actual name
Fixed in selinux-policy-3.11.1-62.fc18.noarch
I switched to using your type svirt_tcg_t and updated the virtual_domain_context
I will ask Miroslav to do a build.
*** Bug 862335 has been marked as a duplicate of this bug. ***
libvirt-0.10.2.2-2.fc18 has been submitted as an update for Fedora 18.
*** Bug 790526 has been marked as a duplicate of this bug. ***
libvirt-0.10.2.2-3.fc18 has been submitted as an update for Fedora 18.
libvirt-0.10.2.2-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.