KVM and SELinux

In Fedora 9, kernel based virtual machines (KVM) are now constrained within SELinux. This is a good thing as it means any security bugs in the KVM/qemu infrastructure are less likely to impact on the host system. However, when moving from earlier versions of Fedora the KVM guest image files (e.g. of the form opensolaris.img) will probably be labelled with the wrong SELinux type which will prevent the guests from running on Fedora 9. To see the SELinux type labelling you can use the -Z option to the normal ls command:

#ls -lZ opensolaris.img -rwxrwxr-x root root unconfined_u:object_r:var_t:s0 opensolaris.img

In this example, the image was created in /var and has inherited the SELinux type of var_t. It also has the SELinux user of unconfined_u. In order for this file to be accessible to the guest VM in Fedora 9 it needs the SELinux type of virt_image_t. The KVM/qemu image files can be changed to this type using the command chcon. For example, to change the opensolaris.img SELinux type and user:

#chcon -h -u system_u -r object_r -t virt_image_t opensolaris.img

Here I am changing the SELinux user, role and type (although only the type is necessary). This now allows the open solaris guest to operate within the new SELinux confined KVM.