[libvirt-users] libvirt, selinux, moving images to ~/images does not work

Alexey Kardashevskiy aik at ozlabs.ru
Mon Apr 8 07:14:26 UTC 2013 

Hi!

Setting security_driver to "none" (instead of "selinux") fixed the problem 
so I presumed that selinux is the problem here. But you're right after all, 
this helped:

[root at vpl2 ~]# chmod 777 /home/aik/
[root at vpl2 ~]# chmod 777 /home/aik/virtimg/

Thanks!



On 04/08/2013 05:06 PM, yue wrote:
> Hi,
> im my case , it works.
> MAC is after DAC, so you should confirm libvird has the permission to your
> home dir.
>
> thanks
>
>
>
> At 2013-04-08 14:53:36,"Alexey Kardashevskiy" <aik at ozlabs.ru> wrote:
>>Hi!
>>
>>I am trying libvirt on POWERPC64 with the default settings such as selinux
>>enabled. It is all good till I move images out of /var/lib/libvirt/images/.
>>
>>http://libvirt.org/drvqemu.html#securityselinux is saying that "If
>>attempting to use disk images in another location, the user/administrator
>>must ensure the directory has be given this requisite label. Likewise
>>physical block devices must be labelled system_u:object_r:virt_image_t.".
>>
>>So did I:
>>
>>[root at vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images
>>drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg
>>drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images
>>
>>[root at vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images
>>/home/aik/virtimg:
>>-rwxrwxrwx. root root system_u:object_r:virt_content_t:s0
>>Fedora-18-ppc64-DVD.iso
>>
>>/var/lib/libvirt/images:
>>-rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest
>>
>>
>>However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with
>>"avc:  denied  { dac_override }" and "avc:  denied  { dac_read_search }".
>>Also, there is "user system_u is not defined" in /var/log/messages what is
>>confusing as "semanage user -l" says it is there.
>>
>>If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the
>>problem goes away and everything works fine.
>>
>>
>>I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu:
>>support URI syntax for NBD").
>>
>>More detailed output is below, this is all from the host system.
>>
>>
>>What do I miss? Thank you.
>>
>>
>>[root at vpl2 ~]# tail /var/log/messages
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid:
>>could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user
>>system_u is not defined
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could
>>not create context structure
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could
>>not create context structure
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid:
>>could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user
>>system_u is not defined
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could
>>not create context structure
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could
>>not create context structure
>>Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid:
>>could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
>>Apr  8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket:
>>No such process
>>
>>
>>[root at vpl2 ~]# semanage user -l
>>
>>                 Labeling   MLS/       MLS/
>>SELinux User    Prefix     MCS Level  MCS Range
>>SELinux Roles
>>
>>git_shell_u     user       s0         s0
>>git_shell_r
>>guest_u         user       s0         s0                             guest_r
>>root            user       s0         s0-s0:c0.c1023
>>staff_r sysadm_r system_r unconfined_r
>>staff_u         user       s0         s0-s0:c0.c1023
>>staff_r sysadm_r system_r unconfined_r
>>sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
>>system_u        user       s0         s0-s0:c0.c1023
>>system_r unconfined_r
>>unconfined_u    user       s0         s0-s0:c0.c1023
>>system_r unconfined_r
>>user_u          user       s0         s0                             user_r
>>xguest_u        user       s0         s0                             xguest_r
>>
>>
>>
>>[root at vpl2 ~]# tail /var/log/audit/audit.log
>>type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2
>>entries=60
>>type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2
>>entries=61
>>type=AVC msg=audit(1365403606.017:4509): avc:  denied  { dac_override } for
>>  pid=8944 comm="qemu-system-ppc" capability=1
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4510): avc:  denied  { dac_read_search }
>>for  pid=8944 comm="qemu-system-ppc" capability=2
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4511): avc:  denied  { dac_override } for
>>  pid=8944 comm="qemu-system-ppc" capability=1
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4512): avc:  denied  { dac_read_search }
>>for  pid=8944 comm="qemu-system-ppc" capability=2
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4513): avc:  denied  { dac_override } for
>>  pid=8944 comm="qemu-system-ppc" capability=1
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4514): avc:  denied  { dac_read_search }
>>for  pid=8944 comm="qemu-system-ppc" capability=2
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4515): avc:  denied  { dac_override } for
>>  pid=8944 comm="qemu-system-ppc" capability=1
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>type=AVC msg=audit(1365403606.017:4516): avc:  denied  { dac_read_search }
>>for  pid=8944 comm="qemu-system-ppc" capability=2
>>scontext=system_u:system_r:svirt_t:s0:c574,c809
>>tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
>>
>>
>>
>>
>>[root at vpl2 ~]# libvirtd --version
>>libvirtd (libvirt) 1.0.3
>>[root at vpl2 ~]# yum info policycoreutils
>>[...]
>>Arch        : ppc64
>>Version     : 2.1.13
>>Release     : 59.fc18
>>Size        : 3.8 M
>>
>>[root at vpl2 ~]# cat /etc/fedora-release
>>Fedora release 18 (Spherical Cow)
>>
>>[root at vpl2 ~]# uname -a
>>Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40
>>EST 2013 ppc64 ppc64 ppc64 GNU/Linux
>>
>>[aik at vpl2 ~]$ cat libvirtguest-aik.xml
>><domain type='kvm'>
>>	<name>AikLibvirtTest</name>
>>	<memory>2097152</memory>
>>	<vcpu>2</vcpu>
>>	<os>
>>		<type arch='ppc64' machine='pseries'>hvm</type>
>>		<boot dev='cdrom'/>
>>		<boot dev='hd'/>
>>	</os>
>>	<clock offset='utc'/>
>>	<devices>
>>		<emulator>/usr/local/bin/qemu-system-ppc64</emulator>
>>		<disk type='file' device='disk' >
>>			<driver name='qemu' type='raw'/>
>>			<source file='/var/lib/libvirt/images/fc18guest'/>
>>			<target dev='sda' bus='scsi'/>
>>		</disk>
>>		<disk type='file' device='cdrom' >
>>			<driver name='qemu' type='raw'/>
>>			<source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/>
>>			<target dev='sdc' bus='scsi'/>
>>			<readonly/>
>>		</disk>
>>		<serial type='pty'>
>>			<target port='0'/>
>>		</serial>
>>		<console type='pty'>
>>			<target type='serial' port='0'/>
>>		</console>
>>		<memballoon model='virtio'/>
>>	</devices>
>>
>></domain>


-- 
Alexey

More information about the libvirt-users mailing list