You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by David Nalley <da...@gnsa.us> on 2013/03/16 18:29:56 UTC

Help wanted: KVM and SELinux

Hi folks,

I am working on writing an SELinux policy for the KVM agent so that
SELinux can be left enabled.

I'd like to solicit some help.

So:

If you are running KVM you naturally have SELinux set to disabled or
permissive.
If you have it set to permissive, and would consider installing my
current policy definition - it would be greatly appreciated. What's
the impact of you testing my policy? Well nothing right now - you're
in permissive mode, and we won't change that during testing, so all
you'd be doing is hopefully cutting down on AVC denials in
/var/log/messages or in /var/log/audit/audit.log

So how do you help:

First install the new policy:
You can get the current version here:
http://people.apache.org/~ke4qqq/cloudstack-agent.pp

once you have that on the hypervisor - run:
semodule -i cloudstack-agent.pp

Make sure you have auditd installed:

rpm -q audit should show you whether or not you have audit installed.
If not 'yum -y install audit' and 'service auditd start' followed by
'chkconfig auditd on' will get you going. The audit package ensures
that all AVCs are logged to a dedicated file
(/var/log/audit/audit.log) rather than /var/log/messages.

If you already had auditd up and running, lets rotate the logs - that
will make it much easier to diagnose problems:

service auditd stop
mv /var/log/audit/audit.log /var/log/audit/oldaudit.log
service auditd start

Now go about your business, deploy machines, destroy machines, do
weird and wacky things, we are essentially looking for new entries in
audit.log to see what we have missed. If your audit log shows up with
items in your audit log, please upload them to this bug:
https://issues.apache.org/jira/browse/CLOUDSTACK-337

You have questions?? Do they match these below? If not reply to this
thread and ask.

Wait, are you testing this yourself?

Of course I am - I've long since (by which I mean I applied it while
writing this) applied this to all of my KVM nodes, however, I have
only a small percentage of potential configuration options.
Specifically, I am running CloudStack 4.0.1, with KVM on EL6.3, with
NFS and local storage and VLANs for isolation.

Wait - are you making my KVM hypervisor less secure?

Probably not. I mean to begin with you are currently running with
SELinux in permissive mode. This is an effort to allow us to turn on
SELinux, use sVirt, and have a more secure hypervisor.
Still not assuaged? Want to see the source?
https://git-wip-us.apache.org/repos/asf/incubator-cloudstack.git/?p=incubator-cloudstack.git;a=blob;f=packaging/centos63/cloudstack-agent.te;h=4259e173a46f93316217b84281556b2b9b92d316;hb=HEAD