Alexey Kardashevskiy
2013-Apr-08 06:53 UTC
[libvirt-users] libvirt, selinux, moving images to ~/images does not work
Hi!
I am trying libvirt on POWERPC64 with the default settings such as selinux
enabled. It is all good till I move images out of /var/lib/libvirt/images/.
http://libvirt.org/drvqemu.html#securityselinux is saying that "If
attempting to use disk images in another location, the user/administrator
must ensure the directory has be given this requisite label. Likewise
physical block devices must be labelled system_u:object_r:virt_image_t.".
So did I:
[root at vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images
drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg
drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images
[root at vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images
/home/aik/virtimg:
-rwxrwxrwx. root root system_u:object_r:virt_content_t:s0
Fedora-18-ppc64-DVD.iso
/var/lib/libvirt/images:
-rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest
However "virsh -c qemu:///system create libvirtguest-aik.xml" failes
with
"avc: denied { dac_override }" and "avc: denied {
dac_read_search }".
Also, there is "user system_u is not defined" in /var/log/messages
what is
confusing as "semanage user -l" says it is there.
If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the
problem goes away and everything works fine.
I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu:
support URI syntax for NBD").
More detailed output is below, this is all from the host system.
What do I miss? Thank you.
[root at vpl2 ~]# tail /var/log/messages
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid:
could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user
system_u is not defined
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could
not create context structure
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could
not create context structure
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid:
could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user
system_u is not defined
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could
not create context structure
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could
not create context structure
Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid:
could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
Apr 8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket:
No such process
[root at vpl2 ~]# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
git_shell_u user s0 s0
git_shell_r
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
[root at vpl2 ~]# tail /var/log/audit/audit.log
type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2
entries=60
type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2
entries=61
type=AVC msg=audit(1365403606.017:4509): avc: denied { dac_override } for
pid=8944 comm="qemu-system-ppc" capability=1
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4510): avc: denied { dac_read_search }
for pid=8944 comm="qemu-system-ppc" capability=2
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4511): avc: denied { dac_override } for
pid=8944 comm="qemu-system-ppc" capability=1
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4512): avc: denied { dac_read_search }
for pid=8944 comm="qemu-system-ppc" capability=2
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4513): avc: denied { dac_override } for
pid=8944 comm="qemu-system-ppc" capability=1
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4514): avc: denied { dac_read_search }
for pid=8944 comm="qemu-system-ppc" capability=2
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4515): avc: denied { dac_override } for
pid=8944 comm="qemu-system-ppc" capability=1
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4516): avc: denied { dac_read_search }
for pid=8944 comm="qemu-system-ppc" capability=2
scontext=system_u:system_r:svirt_t:s0:c574,c809
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
[root at vpl2 ~]# libvirtd --version
libvirtd (libvirt) 1.0.3
[root at vpl2 ~]# yum info policycoreutils
[...]
Arch : ppc64
Version : 2.1.13
Release : 59.fc18
Size : 3.8 M
[root at vpl2 ~]# cat /etc/fedora-release
Fedora release 18 (Spherical Cow)
[root at vpl2 ~]# uname -a
Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40
EST 2013 ppc64 ppc64 ppc64 GNU/Linux
[aik at vpl2 ~]$ cat libvirtguest-aik.xml
<domain type='kvm'>
<name>AikLibvirtTest</name>
<memory>2097152</memory>
<vcpu>2</vcpu>
<os>
<type arch='ppc64' machine='pseries'>hvm</type>
<boot dev='cdrom'/>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<devices>
<emulator>/usr/local/bin/qemu-system-ppc64</emulator>
<disk type='file' device='disk' >
<driver name='qemu' type='raw'/>
<source file='/var/lib/libvirt/images/fc18guest'/>
<target dev='sda' bus='scsi'/>
</disk>
<disk type='file' device='cdrom' >
<driver name='qemu' type='raw'/>
<source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/>
<target dev='sdc' bus='scsi'/>
<readonly/>
</disk>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<memballoon model='virtio'/>
</devices>
</domain>
--
Alexey
yue
2013-Apr-08 07:06 UTC
[libvirt-users] libvirt, selinux, moving images to ~/images does not work
Hi, im my case , it works. MAC is after DAC, so you should confirm libvird has the permission to your home dir. thanks At 2013-04-08 14:53:36,"Alexey Kardashevskiy" <aik at ozlabs.ru> wrote:>Hi! > >I am trying libvirt on POWERPC64 with the default settings such as selinux >enabled. It is all good till I move images out of /var/lib/libvirt/images/. > >http://libvirt.org/drvqemu.html#securityselinux is saying that "If >attempting to use disk images in another location, the user/administrator >must ensure the directory has be given this requisite label. Likewise >physical block devices must be labelled system_u:object_r:virt_image_t.". > >So did I: > >[root at vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images >drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg >drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images > >[root at vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images >/home/aik/virtimg: >-rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 >Fedora-18-ppc64-DVD.iso > >/var/lib/libvirt/images: >-rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest > > >However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with >"avc: denied { dac_override }" and "avc: denied { dac_read_search }". >Also, there is "user system_u is not defined" in /var/log/messages what is >confusing as "semanage user -l" says it is there. > >If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the >problem goes away and everything works fine. > > >I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu: >support URI syntax for NBD"). > >More detailed output is below, this is all from the host system. > > >What do I miss? Thank you. > > >[root at vpl2 ~]# tail /var/log/messages >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: >could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user >system_u is not defined >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could >not create context structure >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could >not create context structure >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: >could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user >system_u is not defined >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could >not create context structure >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could >not create context structure >Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: >could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid >Apr 8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket: >No such process > > >[root at vpl2 ~]# semanage user -l > > Labeling MLS/ MLS/ >SELinux User Prefix MCS Level MCS Range >SELinux Roles > >git_shell_u user s0 s0 >git_shell_r >guest_u user s0 s0 guest_r >root user s0 s0-s0:c0.c1023 >staff_r sysadm_r system_r unconfined_r >staff_u user s0 s0-s0:c0.c1023 >staff_r sysadm_r system_r unconfined_r >sysadm_u user s0 s0-s0:c0.c1023 sysadm_r >system_u user s0 s0-s0:c0.c1023 >system_r unconfined_r >unconfined_u user s0 s0-s0:c0.c1023 >system_r unconfined_r >user_u user s0 s0 user_r >xguest_u user s0 s0 xguest_r > > > >[root at vpl2 ~]# tail /var/log/audit/audit.log >type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2 >entries=60 >type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2 >entries=61 >type=AVC msg=audit(1365403606.017:4509): avc: denied { dac_override } for > pid=8944 comm="qemu-system-ppc" capability=1 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4510): avc: denied { dac_read_search } >for pid=8944 comm="qemu-system-ppc" capability=2 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4511): avc: denied { dac_override } for > pid=8944 comm="qemu-system-ppc" capability=1 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4512): avc: denied { dac_read_search } >for pid=8944 comm="qemu-system-ppc" capability=2 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4513): avc: denied { dac_override } for > pid=8944 comm="qemu-system-ppc" capability=1 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4514): avc: denied { dac_read_search } >for pid=8944 comm="qemu-system-ppc" capability=2 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4515): avc: denied { dac_override } for > pid=8944 comm="qemu-system-ppc" capability=1 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability >type=AVC msg=audit(1365403606.017:4516): avc: denied { dac_read_search } >for pid=8944 comm="qemu-system-ppc" capability=2 >scontext=system_u:system_r:svirt_t:s0:c574,c809 >tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability > > > > >[root at vpl2 ~]# libvirtd --version >libvirtd (libvirt) 1.0.3 >[root at vpl2 ~]# yum info policycoreutils >[...] >Arch : ppc64 >Version : 2.1.13 >Release : 59.fc18 >Size : 3.8 M > >[root at vpl2 ~]# cat /etc/fedora-release >Fedora release 18 (Spherical Cow) > >[root at vpl2 ~]# uname -a >Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40 >EST 2013 ppc64 ppc64 ppc64 GNU/Linux > >[aik at vpl2 ~]$ cat libvirtguest-aik.xml ><domain type='kvm'> > <name>AikLibvirtTest</name> > <memory>2097152</memory> > <vcpu>2</vcpu> > <os> > <type arch='ppc64' machine='pseries'>hvm</type> > <boot dev='cdrom'/> > <boot dev='hd'/> > </os> > <clock offset='utc'/> > <devices> > <emulator>/usr/local/bin/qemu-system-ppc64</emulator> > <disk type='file' device='disk' > > <driver name='qemu' type='raw'/> > <source file='/var/lib/libvirt/images/fc18guest'/> > <target dev='sda' bus='scsi'/> > </disk> > <disk type='file' device='cdrom' > > <driver name='qemu' type='raw'/> > <source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/> > <target dev='sdc' bus='scsi'/> > <readonly/> > </disk> > <serial type='pty'> > <target port='0'/> > </serial> > <console type='pty'> > <target type='serial' port='0'/> > </console> > <memballoon model='virtio'/> > </devices> > ></domain> > > > >-- >Alexey > >_______________________________________________ >libvirt-users mailing list >libvirt-users at redhat.com >https://www.redhat.com/mailman/listinfo/libvirt-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130408/21b509ee/attachment.htm>