(Created page with "== About Me == I'm a part of the Anaconda team at Red Hat. Specifically, my work focuses on support for secondary architectures (s390x, ppc) and text UI. Prior to coming to R...") |
No edit summary |
||
| Line 12: | Line 12: | ||
* '''Time Zone''': EST5EDT | * '''Time Zone''': EST5EDT | ||
* '''Location''': Cambridge, MA | * '''Location''': Cambridge, MA | ||
== SELinux and virtualization == | |||
A lot of people I know turn SELinux off in order to get virtualization working. Not cool. If you're having problems, these are the minor tweaks I made to SELinux on my F17 system to get things running smoothly. These notes are copied from my runlogs, so excuse the brevity. Hopefully I didn't accidentally leave anything out since I worked pretty quickly. | |||
* selinux tools; probably don't need all of these, but I like them there | |||
<code>yum install policycoreutils policycoreutils-newrole policycoreutils-restorecond setools setools-console policycoreutils</code> | |||
* by default I make /var about 08GB; unfortunately, libvirt stores images in here, so space quickly becomes an issue for me; no matter, just move things elsewhere.... | |||
<pre> | |||
cd /var/lib | |||
mv -f libvirt/ /scratch/ | |||
ln -s /scratch/libvirt/ . | |||
# | |||
# now fix the selinux fcontext for that dir | |||
restorecon -R -F /scratch/libvirt | |||
# I feel you should be able to set an equivalence class between /var/lib/libvirt and /scratch/libvirt; | |||
# alas, it didn't work for whatever reason, so this was the next best thing | |||
semange fcontext -S targeted -a -t var_libvirt_t /scratch/libvirt | |||
restorecon -vv -F /scratch/libvirt | |||
</pre> | |||
* change selinux user mapping for my user created at install time | |||
<code>semanage login -a -s staff_u sbueno</code> | |||
* change the default selinux user mapping for future new users (don't want any unconfined_u's running around....) | |||
<code>semanage login -m -S targeted -s "user_u" -r s0 __default__</code> | |||
* time to fulfil virtualization needs | |||
<code>yum install qemu-kvm libvirt-daemon-kvm qemu-kvm-tools virt-manager x3270-x11 tigervnc</code> | |||
* fix some booleans since virtualization is a cluster of AVCs by default | |||
<pre> | |||
# HINT: you can do this via setsebool -P also, but you can only change one | |||
# boolean at a time that way, meaning the policy will need to be recompiled | |||
# for every single boolean you want to flip; do it this way and only recompile | |||
# the policy once | |||
semanage -S targeted -i - << EOF | |||
boolean -m --on staff_use_svirt | |||
boolean -m --on virt_use_execmem | |||
boolean -m --on virt_use_nfs | |||
boolean -m --on virt_use_sysfs | |||
boolean -m --on virt_use_usb | |||
boolean -m --on virt_use_xserver | |||
EOF | |||
</pre> | |||
Revision as of 19:02, 25 January 2013
About Me
I'm a part of the Anaconda team at Red Hat. Specifically, my work focuses on support for secondary architectures (s390x, ppc) and text UI.
Prior to coming to Red Hat, I was a Linux sysadmin at an engineering school. My work there involved service migration/consolidation, automating and customizing kickstart installs, packaging custom RPMs, and a small amount of identity management.
Non-work interests of mine include SELinux, breakfast, and Star Trek.
Contact
- Email: sbueno at redhat dot com
- IRC: sbueno on freenode
- Fedora Account: sbueno
- Time Zone: EST5EDT
- Location: Cambridge, MA
SELinux and virtualization
A lot of people I know turn SELinux off in order to get virtualization working. Not cool. If you're having problems, these are the minor tweaks I made to SELinux on my F17 system to get things running smoothly. These notes are copied from my runlogs, so excuse the brevity. Hopefully I didn't accidentally leave anything out since I worked pretty quickly.
- selinux tools; probably don't need all of these, but I like them there
yum install policycoreutils policycoreutils-newrole policycoreutils-restorecond setools setools-console policycoreutils
- by default I make /var about 08GB; unfortunately, libvirt stores images in here, so space quickly becomes an issue for me; no matter, just move things elsewhere....
cd /var/lib mv -f libvirt/ /scratch/ ln -s /scratch/libvirt/ . # # now fix the selinux fcontext for that dir restorecon -R -F /scratch/libvirt # I feel you should be able to set an equivalence class between /var/lib/libvirt and /scratch/libvirt; # alas, it didn't work for whatever reason, so this was the next best thing semange fcontext -S targeted -a -t var_libvirt_t /scratch/libvirt restorecon -vv -F /scratch/libvirt
- change selinux user mapping for my user created at install time
semanage login -a -s staff_u sbueno
- change the default selinux user mapping for future new users (don't want any unconfined_u's running around....)
semanage login -m -S targeted -s "user_u" -r s0 __default__
- time to fulfil virtualization needs
yum install qemu-kvm libvirt-daemon-kvm qemu-kvm-tools virt-manager x3270-x11 tigervnc
- fix some booleans since virtualization is a cluster of AVCs by default
# HINT: you can do this via setsebool -P also, but you can only change one # boolean at a time that way, meaning the policy will need to be recompiled # for every single boolean you want to flip; do it this way and only recompile # the policy once semanage -S targeted -i - << EOF boolean -m --on staff_use_svirt boolean -m --on virt_use_execmem boolean -m --on virt_use_nfs boolean -m --on virt_use_sysfs boolean -m --on virt_use_usb boolean -m --on virt_use_xserver EOF