[DSE-Dev] Bug#758464: Bug#758464: selinux-policy-default: Impossible to use libvirt(d) if enforcing

Andreas Florath andre at flonatel.org
Mon Aug 18 09:06:50 UTC 2014

Hello Mika,

there is also a boolean 'virt_use_execmem' which does
a similar thing (allow execmem and execstack) but in a different
domain: setting this to on does also not change the things.

The attached patched solves the problem for me.
I'm not sure why the 'execstack' was not included in the appropriate rule
- execmem is already.
And also I'm not sure if this can be a general way to fix this:
I have not enough knowledge about libvirtd.

when applying the patch to the selinux-policy-default and installing
the new version, two more errors pop up:

Aug 18 10:31:22 nestor libvirtd[866]: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.4" (uid=0 pid=866 comm="/usr/sbin/libvirtd ") interface="org.freedesktop.login1.Manager" member="CanSuspend" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=672 comm="/lib/systemd/systemd-logind ")
Aug 18 10:31:22 nestor libvirtd[866]: Failed to get host power management capabilities
Aug 18 10:31:22 nestor libvirtd[866]: Unable to open /dev/net/tun, is tun module loaded?: No such file or directory

The first one is IMHO a minor problem (it's not nice, but it should run without this info).
The second one prevents VMs to be started (therefore it's IMHO an important one).

Should I create two new bug reports for these things? (This would IMHO be
better than discussing some problems in the same thread.)

Kind regards



diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index cb868d5..e1a36fb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -412,7 +412,7 @@ corenet_tcp_connect_all_ports(svirt_t)

 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem execstack setexec setfscreate setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
 allow virtd_t self:tcp_socket { accept listen };

More information about the SELinux-devel mailing list