-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom London wrote:
> On Wed, Feb 13, 2008 at 11:51 AM, Tom London <selinux@xxxxxxxxx> wrote:
>> Hadn't run qemu-kvm for a bit.
>>
>> Now get this AVC (both enforcing/targeted):
>>
>>
>> type=AVC msg=audit(1202932089.281:48): avc: denied { execmem } for
>> pid=10351 comm="qemu-kvm"
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process
>> type=SYSCALL msg=audit(1202932089.281:48): arch=40000003 syscall=125
>> success=no exit=-13 a0=8df0000 a1=1001000 a2=7 a3=a7d5358 items=0
>> ppid=3049 pid=10351 auid=500 uid=500 gid=500 euid=500 suid=500
>> fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="qemu-kvm"
>> exe="/usr/bin/qemu-kvm" subj=unconfined_u:unconfined_r:unconfined_t:s0
>> key=(null)
>>
>> Not sure if it interferes with anything....
>>
> Believe this causes this:
>
> Feb 14 07:55:10 localhost kernel: qemu-kvm[7350] general protection
> ip:80d6ffd sp:bfb48e40 error:0 in qemu-kvm[8047000+12d000]
> Feb 14 07:55:10 localhost setroubleshoot: SELinux is preventing
> qemu-kvm from changing a writable memory segment executable. For
> complete SELinux messages. run sealert -l
> f7ee40db-9506-48d2-bde6-396eb39ef085
>
>
There is a new boolean
allow_unconfined_qemu_transition
That will run qemu under a confined domain. So if you turn it on, you
get execmem.
Todays rawhide should give it execmem if the transition is off also.
I use virt-manager to start my qemu. which runs them in a confined domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke0otcACgkQrlYvE4MpobMCMgCgnsnXewf7pKdOS/HKf4+KUlNe
ZcoAn2px7fqoSpEGnpJuQZ3jpMZqF+p8
=EsjB
-----END PGP SIGNATURE-----
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
