16.2. SELinux and virtualization

Security Enhanced Linux was developed by the NSA with assistance from the Linux community to provide stronger security for Linux. SELinux limits an attackers abilities and works to prevent many common security exploits such as buffer overflow attacks and privilege escalation. It is because of these benefits that all Red Hat Enterprise Linux systems should run with SELinux enabled and in enforcing mode.

SELinux prevents guest images from loading if SELinux is enabled and the images are not in the correct directory. SELinux requires that all guest images are stored in /var/lib/libvirt/images.

Adding LVM based storage with SELinux in enforcing mode

The following section is an example of adding a logical volume to a virtualized guest with SELinux enabled. These instructions also work for hard drive partitions.

Procedure 16.1. Creating and mounting a logical volume on a virtualized guest with SELinux enabled

Create a logical volume. This example creates a 5 gigabyte logical volume named NewVolumeName on the volume group named volumegroup.
```
# lvcreate -n NewVolumeName -L 5G volumegroup
```
Format the NewVolumeName logical volume with a file system that supports extended attributes, such as ext3.
```
# mke2fs -j /dev/volumegroup/NewVolumeName
```
Create a new directory for mounting the new logical volume. This directory can be anywhere on your file system. It is advised not to put it in important system directories (/etc, /var, /sys) or in home directories (/home or /root). This example uses a directory called /virtstorage
```
# mkdir /virtstorage
```

Mount the logical volume.

# mount /dev/volumegroup/NewVolumeName /virtstorage

Set the correct SELinux type for the libvirt image folder.
```
# semanage fcontext -a -t virt_image_t "/virtstorage(/.*)?"
```
If the targeted policy is used (targeted is the default policy) the command appends a line to the /etc/selinux/targeted/contexts/files/file_contexts.local file which makes the change persistent. The appended line may resemble this:
```
/virtstorage(/.*)?    system_u:object_r:virt_image_t:s0
```
Run the command to change the type of the mount point (/virtstorage) and all files under it to virt_image_t (the restorecon and setfiles commands read the files in /etc/selinux/targeted/contexts/files/).
```
# restorecon -R -v /virtstorage
```

Testing new attributes

Create a new file (using the touch command) on the file system.

# touch /virtstorage/newfile

Verify the file has been relabeled using the following command:

# sudo ls -Z /virtstorage
-rw-------. root root system_u:object_r:virt_image_t:s0 newfile

The output shows that the new file has the correct attribute, virt_image_t.