No edit summary |
No edit summary |
||
| Line 27: | Line 27: | ||
# now fix the selinux fcontext for that dir | # now fix the selinux fcontext for that dir | ||
restorecon -R -F /scratch/libvirt | restorecon -R -F /scratch/libvirt | ||
semange fcontext -S targeted -a -t var_image_t "/scratch/libvirt(/.*)?" | |||
semange fcontext -S targeted -a -t var_image_t "/var/lib/libvirt(/.*)?" | |||
semange fcontext -S targeted -a -t | |||
restorecon -vv -F /scratch/libvirt | restorecon -vv -F /scratch/libvirt | ||
restorecon -vv -F /var/lib/libvirt | |||
</pre> | </pre> | ||
Revision as of 19:45, 25 January 2013
About Me
I'm a part of the Anaconda team at Red Hat. Specifically, my work focuses on support for secondary architectures (s390x, ppc) and text UI.
Prior to coming to Red Hat, I was a Linux sysadmin at an engineering school. My work there involved service migration/consolidation, automating and customizing kickstart installs, packaging custom RPMs, and a small amount of identity management.
Non-work interests of mine include SELinux, breakfast, and Star Trek.
Contact
- Email: sbueno at redhat dot com
- IRC: sbueno on freenode
- Fedora Account: sbueno
- Time Zone: EST5EDT
- Location: Cambridge, MA
SELinux and virtualization
A lot of people I know turn SELinux off in order to get virtualization working. Not cool. If you're having problems, these are the minor tweaks I made to SELinux on my F17 system to get things running smoothly. These notes are copied from my runlogs, so excuse the brevity. Hopefully I didn't accidentally leave anything out since I worked pretty quickly.
- selinux tools; probably don't need all of these, but I like them there
yum install policycoreutils policycoreutils-newrole policycoreutils-restorecond setools setools-console policycoreutils
- by default I make /var about 08GB; unfortunately, libvirt stores images in here, so space quickly becomes an issue for me; no matter, just move things elsewhere....
cd /var/lib mv -f libvirt/ /scratch/ ln -s /scratch/libvirt/ . # # now fix the selinux fcontext for that dir restorecon -R -F /scratch/libvirt semange fcontext -S targeted -a -t var_image_t "/scratch/libvirt(/.*)?" semange fcontext -S targeted -a -t var_image_t "/var/lib/libvirt(/.*)?" restorecon -vv -F /scratch/libvirt restorecon -vv -F /var/lib/libvirt
- change selinux user mapping for my user created at install time
semanage login -a -s staff_u sbueno
- change the default selinux user mapping for future new users (don't want any unconfined_u's running around....)
semanage login -m -S targeted -s "user_u" -r s0 __default__
- time to fulfil virtualization needs
yum install qemu-kvm libvirt-daemon-kvm qemu-kvm-tools virt-manager x3270-x11 tigervnc
- fix some booleans since virtualization is a cluster of AVCs by default
# HINT: you can do this via setsebool -P also, but you can only change one # boolean at a time that way, meaning the policy will need to be recompiled # for every single boolean you want to flip; do it this way and only recompile # the policy once semanage -S targeted -i - << EOF boolean -m --on staff_use_svirt boolean -m --on virt_use_execmem boolean -m --on virt_use_nfs boolean -m --on virt_use_sysfs boolean -m --on virt_use_usb boolean -m --on virt_use_xserver EOF
- If your SELinux user mapping changed (ex. from user_u to staff_u), you probably want to log out and back in again. Aside from that, you should be good to go.