[libvirt-users] libvirt_lxc: SELinux MCS
Daniel P. Berrange
berrange at redhat.com
Thu Oct 31 16:01:02 UTC 2013
On Thu, Oct 31, 2013 at 04:32:45PM +0100, Matteo Piccinini wrote:
> Hello list,
>
> my name is Matteo, i'm new on that list.
> I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4.
> Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS.
> I try the secmodel type dynamic and static in the xml file but it didn't work, I received the following error:
>
> error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing
> error : virNetSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused
>
> I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label:
>
> <seclabel type='static' model='selinux' relabel='no'>
> <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
> </seclabel>
>
> or:
>
> <seclabel type='dynamic' model='selinux' relabel='yes'>
> <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
> </seclabel>
>
> I try to compile the last version from the master branch of git the result was always the same, the error was related to the SELinux driver not enabled.
> The output from "virsh -c lxc:/// capabilities" doesn't show the secmodel and doi tag like the qemu/kvm have for the lxc driver the selinux driver.
>
> How can I enable the SELinux driver for libvirt lxc in Red Hat 6.4?
RHEL-6.4 is too old to have support for SELinxuw with LXC.
Specifically its libselinux lacks the selinux_lxc_contexts_path()
method that libvirt requires, hence libvirt will disable its
support for SELinux with LXC when built on RHEL-6.4.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list