Hello list, my name is Matteo, i'm new on that list. I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS. I try the secmodel type dynamic and static in the xml file but it didn't work, I received the following error: error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing error : virNetSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label: <seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> </seclabel> or: <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> </seclabel> I try to compile the last version from the master branch of git the result was always the same, the error was related to the SELinux driver not enabled. The output from "virsh -c lxc:/// capabilities" doesn't show the secmodel and doi tag like the qemu/kvm have for the lxc driver the selinux driver. How can I enable the SELinux driver for libvirt lxc in Red Hat 6.4? SELinux is in enforcing mode. Thanks in advance, Matteo
On Thu, Oct 31, 2013 at 04:32:45PM +0100, Matteo Piccinini wrote:> Hello list, > > my name is Matteo, i'm new on that list. > I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. > Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS. > I try the secmodel type dynamic and static in the xml file but it didn't work, I received the following error: > > error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing > error : virNetSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused > > I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label: > > <seclabel type='static' model='selinux' relabel='no'> > <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> > </seclabel> > > or: > > <seclabel type='dynamic' model='selinux' relabel='yes'> > <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> > </seclabel> > > I try to compile the last version from the master branch of git the result was always the same, the error was related to the SELinux driver not enabled. > The output from "virsh -c lxc:/// capabilities" doesn't show the secmodel and doi tag like the qemu/kvm have for the lxc driver the selinux driver. > > How can I enable the SELinux driver for libvirt lxc in Red Hat 6.4?RHEL-6.4 is too old to have support for SELinxuw with LXC. Specifically its libselinux lacks the selinux_lxc_contexts_path() method that libvirt requires, hence libvirt will disable its support for SELinux with LXC when built on RHEL-6.4. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Oct 31, 2013, at 5:01 PM, Daniel P. Berrange <berrange@redhat.com> wrote:> RHEL-6.4 is too old to have support for SELinxuw with LXC. > > Specifically its libselinux lacks the selinux_lxc_contexts_path() > method that libvirt requires, hence libvirt will disable its > support for SELinux with LXC when built on RHEL-6.4.Hi, thanks for the answer and for your works, it's possible to enable this feature in the Red Hat 6.5 (I'll try the install the beta version ) or I need to wait the version 7? Eventually do you know if it's possible to compile the libselinux from Fedora 19? Regards, Matteo