Re: [PATCH libguestfs 0/4] Add a libvirt backend to libguestfs.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Jul 21, 2012 at 09:43:45PM +0100, Richard W.M. Jones wrote:
> (3) SELinux/sVirt prevents qemu connecting to this socket.  This one
> is a pain.  You'd think that if a socket is specified in the libvirt
> XML then sVirt should allow access to it.

The AVCs are:

type=AVC msg=audit(1342903120.938:9403): avc:  denied  { write } for  pid=21757 comm="qemu-kvm" name="guestfsd.sock" dev="dm-4" ino=939761 scontext=system_u:system_r:svirt_t:s0:c411,c865 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=sock_file
type=AVC msg=audit(1342903120.938:9403): avc:  denied  { connectto } for  pid=21757 comm="qemu-kvm" path="/home/rjones/d/libguestfs/libguestfsDDwHEF/guestfsd.sock" scontext=system_u:system_r:svirt_t:s0:c411,c865 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

audit2allow suggests:

#============= svirt_t ==============
allow svirt_t unconfined_t:unix_stream_socket connectto;
allow svirt_t user_home_t:sock_file write;

I might be able to solve this by labelling the socket, but I'm not
clear what label to use.  Also that won't work if the main process is
non-root but has permissions to access the global libvirtd - we'd
really need libvirtd to do the labelling.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]