Hello Mika,
there is also a boolean 'virt_use_execmem' which does
a similar thing (allow execmem and execstack) but in a different
domain: setting this to on does also not change the things.
The attached patched solves the problem for me.
I'm not sure why the 'execstack' was not included in the appropriate rule
- execmem is already.
And also I'm not sure if this can be a general way to fix this:
I have not enough knowledge about libvirtd.
Nevertheless:
when applying the patch to the selinux-policy-default and installing
the new version, two more errors pop up:
Aug 18 10:31:22 nestor libvirtd[866]: An SELinux policy prevents this sender
from sending this message to this recipient, 0 matched rules;
type="method_call", sender=":1.4" (uid=0 pid=866 comm="/usr/sbin/libvirtd ")
interface="org.freedesktop.login1.Manager" member="CanSuspend" error
name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0
pid=672 comm="/lib/systemd/systemd-logind ")
Aug 18 10:31:22 nestor libvirtd[866]: Failed to get host power management
capabilities
Aug 18 10:31:22 nestor libvirtd[866]: Unable to open /dev/net/tun, is tun
module loaded?: No such file or directory
The first one is IMHO a minor problem (it's not nice, but it should run without
this info).
The second one prevents VMs to be started (therefore it's IMHO an important
one).
Should I create two new bug reports for these things? (This would IMHO be
better than discussing some problems in the same thread.)
Kind regards
Andre
===
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index cb868d5..e1a36fb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -412,7 +412,7 @@ corenet_tcp_connect_all_ports(svirt_t)
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull
execmem execstack setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom
relabelto };
allow virtd_t self:tcp_socket { accept listen };
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
