satis egitimisatis


Discussion on the state of cloud computing and open source software that helps build, manage, and deliver everything-as-a-service.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that has been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Login
Posted by on in Open Source
  • Font size: Larger Smaller
  • Hits: 7179
  • Print
  • Report this post

SELinux + KVM + CloudStack

So I am working on writing an SELinux policy for the CloudStack KVM agent so that SELinux can be left enabled. Why you ask? Well I really dislike advocating for people to turn off a security mechanism to get software to work. Additionally I really want some of the advantages of sVirt. But here is where I'd like to solicit some help. If you are running KVM with CloudStack you naturally have SELinux set to disabled or permissive. If you have it set to permissive, and would consider installing my current policy definition - it would be greatly appreciated. What's the impact of you testing my policy? Well nothing right now - you're in permissive mode, and we won't change that during testing, so all you'd be doing is hopefully cutting down on AVC denials in /var/log/messages or in /var/log/audit/audit.log

So how do you help:

First install the new policy:

You can get the current version here: cloudstack-agent.pp once you have that on the hypervisor - run:
semodule -i cloudstack-agent.pp

Make sure you have auditd installed:

rpm -q audit
The above should show you whether or not you have audit installed. If not you can install and start auditd with the following commands:
yum -y install audit service auditd start chkconfig auditd on
The audit package ensures that all AVCs are logged to a dedicated file (/var/log/audit/audit.log) rather than /var/log/messages.

If you already had auditd up and running, lets rotate the logs

This will make it much easier to diagnose any missing policy items:
service auditd stop mv /var/log/audit/audit.log /var/log/audit/oldaudit.log service auditd start
Now go about your business, deploy machines, destroy machines, do weird and wacky things, we are essentially looking for new entries in audit.log to see what we have missed. If your audit log shows up with items in your audit log, please upload them to this bug: CLOUDSTACK-337

You have questions??

Do they match these below? If not ask on the list.

Wait, are you testing this yourself?

Of course I am - I've long since (by which I mean I applied it while writing this) applied this to all of my KVM nodes, however, I have only a small percentage of potential configuration options. Specifically, I am running CloudStack 4.0.1, with KVM on EL6.3, with NFS and local storage and VLANs for isolation.

Wait - are you making my KVM hypervisor less secure?

Probably not. I mean to begin with you are currently running with SELinux in permissive mode. This is an effort to allow us to turn on SELinux, use sVirt, and have a more secure hypervisor. Still not assuaged? Want to see the source? It's here.
Rate this blog entry:
Trackback URL for this blog entry.
David Nalley is currently employed by Citrix as the Community Manager for the CloudStack project. In addition he's a long time contributor to the Fedora Project, where among other things he is currently serving on the Fedora Project Board. He's also contributed to in various forms to Cobbler, Zenoss,, OLPC Math4, and Sahana. He is a frequent speaker at Free Software conferences around the nation, and writes for a number of technical and open source media publications including Linux Pro Magazine and
  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Tuesday, 22 July 2014


Citrix supports the open source community via developer support and evangeslism. We have a number of developers and evangelists that participate actively in the open source community in Apache Cloudstack, OpenDaylight, Xen Project and XenServer. We also conduct educational activities via the Build A Cloud events held all over the world.