PCI passthrough fails in qemu-kvm unless selinux is disabled-droplist-ChinaUnix博客

Laine Stump 2013-01-14 12:44:12 EST

As far as I gather, the restrictions put in place by UEFI secure boot are roughly equivalent to CAP_COMPROMISE_KERNEL, and selinux has a policy called "compromise_kernel" that also checks for and prevents the same operations.

Assignment of host hardware to guests in qemu-kvm via its "-device pci-assign" option is known to fail on systems with UEFI secure boot. However, even on systems that don't have a UEFI BIOS,pci-assign is no longer working as of Fedora 18 unless the following three steps are taken (this is assuming that qemu-kvm is run by libvirtd):

1) clear_emulator_capabilies is set to 0 in /etc/libvirt/qemu.conf

2) qemu-kvm is run as root rather than as user qemu

3) selinux is set to permissive mode.

Items 1 and 2 can be solved in libvirt by making sure that CAP_COMPROMISE_KERNEL is set when pci passthrough will be required. Item 3 currently has no solution other than a blankete disabling of selinux, which is obviously not desired.

The solution would be to either unconditionally, or possibly as the result of an selinux boolean called virt_allow_compromise_kernel_t (or something like that), not check for [whatever compromise_kernel checks for] in processes that are svirt_t.

Without such a change, PCI passthrough will no longer work in F18+.

Daniel Walsh 2013-01-14 13:11:59 EST

Looks like this is fixed in selinux-policy-3.11.1-70.fc18.src.rpm

But Dan Berrange asked me to make this the default and remove virt_use_sysfs altogether, which is fine with me.  

c02f1786d5176b0367494d27280d036996c77cdc fixes this.