I could do that, The downside is that this will have to be done for
every new virtual machine.
- Michael Schenck
On 11/19/2009 06:37 PM, Dominick Grift wrote:
On Thu, 2009-11-19 at 18:03 -0500, Michael Schenck wrote:
I'm running CentOS 5.4 and am trying to allow qemu to use LVM LV's for
storage. I created this file form audit2allow:
module kvm 1.0;
require {
type qemu_t;
type fixed_disk_device_t;
class blk_file read;
class blk_file getattr;
}
allow qemu_t fixed_disk_device_t:blk_file { read getattr };
I use this script to load it:
#!/bin/sh
# Puppet Template
# Serial: 2008120401
SE_LOCAL=/etc/selinux/local
/usr/bin/checkmodule -M -m -o ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.te
/usr/bin/semodule_package -o ${SE_LOCAL}/kvm.pp -m ${SE_LOCAL}/kvm.mod
/usr/sbin/semodule -i ${SE_LOCAL}/kvm.pp
/bin/rm ${SE_LOCAL}/kvm.mod ${SE_LOCAL}/kvm.pp
When I try to load it, it fails with the following error:
[root@HostKVM2:/etc/selinux/local]# ./kvm-setup.sh
/usr/bin/checkmodule: loading policy configuration from
/etc/selinux/local/kvm.te
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to
/etc/selinux/local/kvm.mod
libsepol.check_assertion_helper: assertion on line 0 violated by allow
qemu_t fixed_disk_device_t:blk_file { read };
libsepol.check_assertions: 1 assertion violations occured
libsemanage.semanage_expand_sandbox: Expand module failed
/usr/sbin/semodule: Failed!
Can someone tell me what I'm doing wrong?
Why not just label the block device properly like everyone else?
chcon -t virt_image_t /pathto/blk_file
Best regards,
Michael Schenck
--
Michael Schenck - Senior Systems Administrator - LimeWire LLC
Phone: 212-775-3046
E-mail: mschenck@xxxxxxxxxxxx
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
