It doesn't start as staff_u:staff_r:staff_t or staff_u:sysadm_r:sysadm_t I run -9999 policies % qemu-system-x86_64 Could not initialize SDL(No available video device) - exiting Enforcing: Nov 1 19:17:14 localhost kernel: [18269.138589] type=1400 audit(1351793834.802:142): avc: denied { read } for pid=5365 comm="qemu-system-x86" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:qemu_t tcontext=system_u:object_r:sysfs_t tclass=file Nov 1 19:17:14 localhost kernel: [18269.289364] type=1400 audit(1351793834.953:143): avc: denied { connectto } for pid=5364 comm="qemu-system-x86" path=002F746D702F2E5831312D756E69782F5830 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:staff_r:xserver_t tclass=unix_stream_socket Permissive: Nov 1 19:18:12 localhost kernel: [18326.361917] type=1400 audit(1351793892.139:145): avc: denied { read } for pid=5379 comm="qemu-system-x86" name="online" dev="sysfs" ino=36 scontext=staff_u:staff_r:qemu_t tcontext=system_u:object_r:sysfs_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.361953] type=1400 audit(1351793892.139:146): avc: denied { open } for pid=5379 comm="qemu-system-x86" path="/sys/devices/system/cpu/online" dev="sysfs" ino=36 scontext=staff_u:staff_r:qemu_t tcontext=system_u:object_r:sysfs_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.391388] type=1400 audit(1351793892.168:147): avc: denied { connectto } for pid=5378 comm="qemu-system-x86" path=002F746D702F2E5831312D756E69782F5830 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:staff_r:xserver_t tclass=unix_stream_socket Nov 1 19:18:12 localhost kernel: [18326.391521] type=1400 audit(1351793892.168:148): avc: denied { read } for pid=5378 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20714467 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.391553] type=1400 audit(1351793892.168:149): avc: denied { open } for pid=5378 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20714467 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.391579] type=1400 audit(1351793892.168:150): avc: denied { getattr } for pid=5378 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20714467 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.400096] type=1400 audit(1351793892.177:151): avc: denied { read } for pid=2643 comm="X" name="cmdline" dev="proc" ino=1506421 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.400106] type=1400 audit(1351793892.177:152): avc: denied { open } for pid=2643 comm="X" path="/proc/5378/cmdline" dev="proc" ino=1506421 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file Nov 1 19:18:12 localhost kernel: [18326.510908] type=1400 audit(1351793892.288:153): avc: denied { unix_read unix_write } for pid=2643 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm Reproducible: Always Portage 2.1.11.31 (hardened/linux/amd64/selinux, gcc-4.6.3, glibc-2.15-r3, 3.6.1-hardened x86_64) ================================================================= System uname: Linux-3.6.1-hardened-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.2 Timestamp of tree: Tue, 30 Oct 2012 19:30:01 +0000 ld GNU ld (GNU Binutils) 2.23 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2, 3.2.3-r1 dev-util/cmake: 2.8.9-r1 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.2 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.4 sys-devel/binutils: 2.23 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo x11 hardened-dev my_local_overlay ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 PUEL skype-4.0.0.7-copyright google-talkplugin" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en en_GB pl" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/x11 /var/lib/layman/hardened-development /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cups cxx dbus dri dvd gdbm gif gpm hardened iconv icu ipv6 jpeg justify mmx mng modules mp3 mudflap multilib ncurses nls nptl open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 sse4_1 sse4_2 ssl ssse3 tcpd tiff udev unicode urandom usb v4l vaapi vim-syntax wacom wifi xft xinerama xtpax zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_GB pl" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
There's a boolean called "virt_use_xserver" which you need to toggle on if you use the SDL approach. For sysfs, you can toggle "virt_use_sysfs".
# getsebool -a | grep virt virt_use_comm --> off virt_use_execmem --> off virt_use_fusefs --> off virt_use_nfs --> off virt_use_samba --> off virt_use_sysfs --> on virt_use_usb --> off virt_use_xserver --> on As user, staff_u:staff_r:staff_t with policy: policy_module(qemustaff, 1.0.0) require { type staff_t; role staff_r; } qemu_run(staff_t, staff_r) Enforcing: Nov 11 18:06:44 lain kernel: [20076.499347] type=1400 audit(1352653604.042:3987): avc: denied { read } for pid=28245 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Permissive: Nov 11 18:06:52 lain kernel: [20085.305737] type=1400 audit(1352653612.866:3989): avc: denied { read } for pid=28276 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 11 18:06:52 lain kernel: [20085.305768] type=1400 audit(1352653612.866:3990): avc: denied { open } for pid=28276 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 11 18:06:52 lain kernel: [20085.305793] type=1400 audit(1352653612.866:3991): avc: denied { getattr } for pid=28276 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 11 18:06:52 lain kernel: [20085.305810] type=1400 audit(1352653612.866:3992): avc: denied { read } for pid=1969 comm="X" name="cmdline" dev="proc" ino=2322956 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file Nov 11 18:06:52 lain kernel: [20085.305829] type=1400 audit(1352653612.866:3993): avc: denied { open } for pid=1969 comm="X" path="/proc/28276/cmdline" dev="proc" ino=2322956 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file Nov 11 18:06:52 lain kernel: [20085.372177] type=1400 audit(1352653612.932:3994): avc: denied { unix_read unix_write } for pid=1969 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm Nov 11 18:06:52 lain kernel: [20085.372187] type=1400 audit(1352653612.932:3995): avc: denied { read write } for pid=1969 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm Nov 11 18:06:52 lain kernel: [20085.372212] type=1400 audit(1352653612.932:3996): avc: denied { read write } for pid=1969 comm="X" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=405504003 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:object_r:qemu_tmpfs_t tclass=file Nov 11 18:06:52 lain kernel: [20085.372231] type=1400 audit(1352653612.932:3997): avc: denied { getattr associate } for pid=1969 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm As root, staff_u:sysadm_r:sysadm_t Enforcing: Nov 11 18:08:36 lain kernel: [20188.575918] type=1400 audit(1352653716.341:4001): avc: denied { dac_override } for pid=28399 comm="qemu-system-x86" capability=1 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability Nov 11 18:08:36 lain kernel: [20188.575935] type=1400 audit(1352653716.341:4002): avc: denied { dac_read_search } for pid=28399 comm="qemu-system-x86" capability=2 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability Nov 11 18:08:36 lain kernel: [20188.575944] type=1400 audit(1352653716.341:4003): avc: denied { dac_override } for pid=28399 comm="qemu-system-x86" capability=1 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability Permissive: Nov 11 18:08:45 lain kernel: [20197.827314] type=1400 audit(1352653725.611:4005): avc: denied { dac_override } for pid=28439 comm="qemu-system-x86" capability=1 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:sysadm_r:qemu_t tclass=capability Nov 11 18:08:45 lain kernel: [20197.827358] type=1400 audit(1352653725.611:4006): avc: denied { read } for pid=28439 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 11 18:08:45 lain kernel: [20197.827381] type=1400 audit(1352653725.611:4007): avc: denied { open } for pid=28439 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 11 18:08:45 lain kernel: [20197.827400] type=1400 audit(1352653725.611:4008): avc: denied { getattr } for pid=28439 comm="qemu-system-x86" path="/home/amade/.Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:sysadm_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Nov 11 18:08:45 lain kernel: [20197.897640] type=1400 audit(1352653725.681:4009): avc: denied { unix_read unix_write } for pid=1969 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:sysadm_r:qemu_t tclass=shm Nov 11 18:08:45 lain kernel: [20197.897660] type=1400 audit(1352653725.681:4010): avc: denied { read write } for pid=1969 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:sysadm_r:qemu_t tclass=shm Nov 11 18:08:45 lain kernel: [20197.897709] type=1400 audit(1352653725.681:4011): avc: denied { read write } for pid=1969 comm="X" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=409665539 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:object_r:qemu_tmpfs_t tclass=file Nov 11 18:08:45 lain kernel: [20197.897736] type=1400 audit(1352653725.681:4012): avc: denied { getattr associate } for pid=1969 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:sysadm_r:qemu_t tclass=shm
Ok, do you get any errors (by qemu) when you want to start it, or does it just fail silently (with an error code)? If you add in "xserver_read_user_xauth(qemu_t)" what happens then?
Yes it starts with xserver_read_user_xauth(qemu_t) Enforcing: Nov 14 20:58:51 lain kernel: [39885.690744] type=1400 audit(1352923131.430:154): avc: denied { unix_read unix_write } for pid=1973 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm Permissive: Nov 14 20:59:19 lain kernel: [39914.168472] type=1400 audit(1352923159.964:156): avc: denied { read } for pid=1973 comm="X" name="cmdline" dev="proc" ino=3585169 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file Nov 14 20:59:19 lain kernel: [39914.168488] type=1400 audit(1352923159.964:157): avc: denied { open } for pid=1973 comm="X" path="/proc/5471/cmdline" dev="proc" ino=3585169 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=file Nov 14 20:59:20 lain kernel: [39914.231533] type=1400 audit(1352923160.027:158): avc: denied { unix_read unix_write } for pid=1973 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm Nov 14 20:59:20 lain kernel: [39914.231543] type=1400 audit(1352923160.027:159): avc: denied { read write } for pid=1973 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm Nov 14 20:59:20 lain kernel: [39914.231577] type=1400 audit(1352923160.027:160): avc: denied { read write } for pid=1973 comm="X" path=2F535953563030303030303030202864656C6574656429 dev="tmpfs" ino=1173028867 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:object_r:qemu_tmpfs_t tclass=file Nov 14 20:59:20 lain kernel: [39914.231592] type=1400 audit(1352923160.027:161): avc: denied { getattr associate } for pid=1973 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
I'm tempted to make it an xserver application through "xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)". This will allow all that is needed to run something as an xserver application, which is imo what this is about (when using the SDL approach). I personally use Vnc support instead of SDL, so don't need it. Sadly, this too uses attributes underlyingly so I can't use a tunable to allow or disallow this.
In repo, will be in r8
r8 in hardened-dev overlay
r8 is now in main tree, ~arch
r8 is now stable