[libvirt-users] libvirt_lxc: SELinux MCS

Daniel P. Berrange berrange at redhat.com
Thu Oct 31 16:01:02 UTC 2013


On Thu, Oct 31, 2013 at 04:32:45PM +0100, Matteo Piccinini wrote:
> Hello list,
> 
> my name is Matteo, i'm new on that list.
> I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4.
> Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS.
> I try the secmodel type dynamic and static in the xml file but it didn't work, I received the following error:
> 
> error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing
> error : virNetSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused
> 
> I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label:
> 
> <seclabel type='static' model='selinux' relabel='no'>
>    <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
> </seclabel>
> 
> or:
> 
> <seclabel type='dynamic' model='selinux' relabel='yes'>
>    <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
> </seclabel>
> 
> I try to compile the last version from the master branch of git the result was always the same, the error was related to the SELinux driver not enabled. 
> The output from "virsh -c lxc:/// capabilities" doesn't show the secmodel and doi tag like the qemu/kvm have for the lxc driver the selinux driver.
> 
> How can I enable the SELinux driver for libvirt lxc in Red Hat 6.4?

RHEL-6.4 is too old to have support for SELinxuw with LXC.

Specifically its libselinux lacks the selinux_lxc_contexts_path()
method that libvirt requires, hence libvirt will disable its
support for SELinux with LXC when built on RHEL-6.4.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvirt-users mailing list