Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1509729
  • 博文数量: 487
  • 博客积分: 161
  • 博客等级: 入伍新兵
  • 技术积分: 5064
  • 用 户 组: 普通用户
  • 注册时间: 2011-07-01 07:37











2013-04-26 12:55:07

Laine Stump 2013-01-14 12:44:12 EST
As far as I gather, the restrictions put in place by UEFI secure boot are roughly equivalent to CAP_COMPROMISE_KERNEL, and selinux has a policy called "compromise_kernel" that also checks for and prevents the same operations.

Assignment of host hardware to guests in qemu-kvm via its "-device pci-assign" option is known to fail on systems with UEFI secure boot. However, even on systems that don't have a UEFI BIOS,pci-assign is no longer working as of Fedora 18 unless the following three steps are taken (this is assuming that qemu-kvm is run by libvirtd):

1) clear_emulator_capabilies is set to 0 in /etc/libvirt/qemu.conf

2) qemu-kvm is run as root rather than as user qemu

3) selinux is set to permissive mode.

Items 1 and 2 can be solved in libvirt by making sure that CAP_COMPROMISE_KERNEL is set when pci passthrough will be required. Item 3 currently has no solution other than a blankete disabling of selinux, which is obviously not desired.

The solution would be to either unconditionally, or possibly as the result of an selinux boolean called virt_allow_compromise_kernel_t (or something like that), not check for [whatever compromise_kernel checks for] in processes that are svirt_t.

Without such a change, PCI passthrough will no longer work in F18+.
Daniel Walsh 2013-01-14 13:11:59 EST
Looks like this is fixed in selinux-policy-3.11.1-70.fc18.src.rpm

But Dan Berrange asked me to make this the default and remove virt_use_sysfs altogether, which is fine with me.  

c02f1786d5176b0367494d27280d036996c77cdc fixes this.
阅读(1078) | 评论(0) | 转发(1) |