How to share a VM with Gnome Boxes

By default Gnome Boxes use qemu:///session instead of qemu:///system because make desktop integration easier avoiding permission issues.

But if I what to share the same VM on the same desktop with another user (my wife), “qemu:///session” and “SELinux” can be an issue. On Fedora sVirt and SELinux is enabled by default. This make impossible to run the same VM from different user (not at the same time) due to Dynamic Resource Labeling.

The easiest solution I’ve found was to disable SELinux only for the domain “virt_t”.

First export your VM settings (if you already have a VM):

virsh dumpxml sharedVM > sharedVM.xml

Then move the VM image to a folder that both users can access (and write). In my case:

/home/Public/VMs

Set the owner and permission to the new VM folders:

chown root:users /home/Public/VMs

chmod 777 /home/Public/VMs

..and update sharedVM.xml according to the new path.

Import the exported VM on both users. Run this command for both account:

virsh create sharedVM.xml

Set Virt Domain in Permissive mode:

semanage permissive -a virt_t

Now you can start sharedVM with either one of the two users.

 

Via: http://blog.wikichoon.com/2016/01/qemusystem-vs-qemusession.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/ch07s02.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Security_Guide/sect-Virtualization_Security_Guide-sVirt-Labels-Static_Configuration_without_Dynamic_Resource_Labeling.html
http://www.ibm.com/support/knowledgecenter/linuxonibm/liabp/liabpsecsvirtstatic.htm

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s