On Sat, Jul 21, 2012 at 09:43:45PM +0100, Richard W.M. Jones wrote:
> (3) SELinux/sVirt prevents qemu connecting to this socket. This one
> is a pain. You'd think that if a socket is specified in the libvirt
> XML then sVirt should allow access to it.
The AVCs are:
type=AVC msg=audit(1342903120.938:9403): avc: denied { write } for pid=21757 comm="qemu-kvm" name="guestfsd.sock" dev="dm-4" ino=939761 scontext=system_u:system_r:svirt_t:s0:c411,c865 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1342903120.938:9403): avc: denied { connectto } for pid=21757 comm="qemu-kvm" path="/home/rjones/d/libguestfs/libguestfsDDwHEF/guestfsd.sock" scontext=system_u:system_r:svirt_t:s0:c411,c865 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
audit2allow suggests:
#============= svirt_t ==============
allow svirt_t unconfined_t:unix_stream_socket connectto;
allow svirt_t user_home_t:sock_file write;
I might be able to solve this by labelling the socket, but I'm not
clear what label to use. Also that won't work if the main process is
non-root but has permissions to access the global libvirtd - we'd
really need libvirtd to do the labelling.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list