SELinux labels for libvirt and QEMU running in a container

Log into the 'nova_libvirt' container on the compute host:

[root@compute-0 ~]# podman exec -it nova_libvirt /bin/bash

SELinux info from the 'nova_libvirt' container:

()[root@compute-0 /]# getenforce 
Enforcing

()[root@compute-0 /]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

SELinux labels of the running QEMU processes:

()[root@compute-0 /]# ps -eZ | grep qemu
system_u:system_r:svirt_t:s0:c496,c549 216371 ?  00:01:30 qemu-kvm
system_u:system_r:svirt_t:s0:c190,c890 230724 ?  00:00:18 qemu-kvm

SELinux label for the QEMU binary file:

()[root@compute-0 /]# ls -lZ /usr/libexec/qemu-kvm 
-rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 16356584 Apr  6 20:47 /usr/libexec/qemu-kvm

SELinux label for the libvirtd process:

()[root@compute-0 /]# ps -eZ | grep libvirtd
system_u:system_r:spc_t:s0       209874 ?        00:00:01 libvirtd

SELinux label for the libvirtd binary file:

()[root@compute-0 /]# ls -lZ /usr/sbin/libvirtd
-rwxr-xr-x. 1 root root system_u:object_r:container_ro_file_t:s0 618304 Dec 20 01:11 /usr/sbin/libvirtd

Enumerate the running guests:

()[root@compute-0 /]# virsh list
 Id   Name                State
-----------------------------------
 1    instance-00000001   running
 2    instance-00000002   running

Enumerate the disk images the above guests are using:

()[root@compute-0 /]# virsh domblklist 1
 Target   Source
-----------------------------------------------------------------------------
 vda      /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk


()[root@compute-0 /]# virsh domblklist 2
 Target   Source
-----------------------------------------------------------------------------
 vda      /var/lib/nova/instances/9d9ec228-7a86-45cd-8870-1769312a2e42/disk

Check the SELinux labels for the above disk images:

()[root@compute-0 /]# ls -lZ /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk /var/lib/nova/instances/9d9ec228-7a86-45cd-8870-1769312a2e42/disk
-rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c190,c890 59244544 Jun 17 12:53 /var/lib/nova/instances/9d9ec228-7a86-45cd-8870-1769312a2e42/disk
-rw-r--r--. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c496,c549 59113472 Jun 17 11:46 /var/lib/nova/instances/dfad20d8-8152-46ec-bdd9-b9be2dd0c538/disk

They match the labels for the corresponding QEMU processes:

()[root@compute-0 /]# ps -eZ | grep qemu
system_u:system_r:svirt_t:s0:c496,c549 216371 ?  00:02:00 qemu-kvm
system_u:system_r:svirt_t:s0:c190,c890 230724 ?  00:00:47 qemu-kvm

Notice that a each QEMU process and its corresponding disk image have a unique SELinux label:

• instance-00000001 & its disk image: s0:c190,c890
• instance-00000002 & its disk image:

2020-06-17 12:46:33.138+0000: starting up libvirt version: 5.6.0, package: 10.module+el8.1.1+5309+6d656f05 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2019-12-20-01:08:55, ), qemu version: 4.1.0qemu-kvm-4.1.0-23.module+el8.1.1+6238+f5d69f68.3, kernel: 4.18.0-147.8.1.el8_1.x86_64, hostname: compute-0.localdomain
LC_ALL=C \
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
HOME=/var/lib/libvirt/qemu/domain-2-instance-00000002 \
XDG_DATA_HOME=/var/lib/libvirt/qemu/domain-2-instance-00000002/.local/share \
XDG_CACHE_HOME=/var/lib/libvirt/qemu/domain-2-instance-00000002/.cache \
XDG_CONFIG_HOME=/var/lib/libvirt/qemu/domain-2-instance-00000002/.config \
QEMU_AUDIO_DRV=none \
/usr/libexec/qemu-kvm \
-name guest=instance-00000002,debug-threads=on \
-S \
-object secret,id=masterKey0,format=raw,file=/var/lib/libvirt/qemu/domain-2-instance-00000002/master-key.aes \
-machine pc-i440fx-rhel7.6.0,accel=kvm,usb=off,dump-guest-core=off \
-cpu EPYC-IBPB,x2apic=on,tsc-deadline=on,hypervisor=on,tsc-adjust=on,arch-capabilities=on,cmp-legacy=on,perfctr-core=on,virt-ssbd=on,skip-l1dfl-vmentry=on,monitor=off,svm=off \
-m 512 \
-overcommit mem-lock=off \
-smp 1,sockets=1,cores=1,threads=1 \
-uuid 9d9ec228-7a86-45cd-8870-1769312a2e42 \
-smbios 'type=1,manufacturer=Red Hat,product=OpenStack Compute,version=20.1.2-0.20200401205214.28324e6.el8ost,serial=9d9ec228-7a86-45cd-8870-1769312a2e42,uuid=9d9ec228-7a86-45cd-8870-1769312a2e42,family=Virtual Machine' \
-no-user-config \
-nodefaults \
-chardev socket,id=charmonitor,fd=34,server,nowait \
-mon chardev=charmonitor,id=monitor,mode=control \
-rtc base=utc,driftfix=slew \
-global kvm-pit.lost_tick_policy=delay \
-no-hpet \
-no-shutdown \
-boot strict=on \
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
-drive file=/var/lib/nova/instances/9d9ec228-7a86-45cd-8870-1769312a2e42/disk,format=qcow2,if=none,id=drive-virtio-disk0,cache=none \
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,write-cache=on \
-netdev tap,fd=36,id=hostnet0,vhost=on,vhostfd=37 \
-device virtio-net-pci,rx_queue_size=512,host_mtu=1442,netdev=hostnet0,id=net0,mac=fa:16:3e:ea:a5:0b,bus=pci.0,addr=0x3 \
-add-fd set=3,fd=39 \
-chardev pty,id=charserial0,logfile=/dev/fdset/3,logappend=on \
-device isa-serial,chardev=charserial0,id=serial0 \
-device usb-tablet,id=input0,bus=usb.0,port=1 \
-vnc 172.16.13.62:1 \
-device cirrus-vga,id=video0,bus=pci.0,addr=0x2 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x5 \
-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
-msg timestamp=on
char device redirected to /dev/pts/3 (label charserial0)
2020-06-17T12:46:33.243387Z qemu-kvm: -device cirrus-vga,id=video0,bus=pci.0,addr=0x2: warning: 'cirrus-vga' is deprecated, please use a different VGA card instead