thr3ads.net - libvirt users - [libvirt-users] libvirt_lxc start problem when selinux enbale [Apr 2013]

If this information is useful, please help other people find it:
Share via:

Huang,Chaochang

2013-Apr-25 07:41 UTC

[libvirt-users] libvirt_lxc start problem when selinux enbale

Hi?all?

         the problem came out when selinux was enforced in targeted+MCS
         I start lxc through virsh???virsh -c lxc:/// start  instance-00004bd6?


1.       When selinux is Permissive?lxc start is ok
The result of ?Ps auxZ? is?
system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 19218 0.0  0.0 47624 1244 ? 
Ss   15:26   0:00 /usr/libexec/libvirt_lxc --name
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19219 0.3  0.0 19276 1532 ?
Ss  15:26   0:00 /sbin/init
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19406 0.0  0.0 177444 1332 ?
Sl 15:26   0:00 /sbin/rsyslogd -i /var/run/sysl
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19420 0.0  0.0 64120 1144 ?
Ss  15:26   0:00 /usr/sbin/sshd
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19427 0.0  0.0 22136 956 ?
Ss   15:26   0:00 xinetd -stayalive -pidfile /var
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19434 0.0  0.0 64316 832 ?
Ss   15:26   0:00 /usr/sbin/saslauthd -m /var/run
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19435 0.0  0.0 64316 600 ? S
15:26   0:00 /usr/sbin/saslauthd -m /var/run
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19450 0.0  0.0 82388 2392 ?
Ss  15:26   0:00 sendmail: rejecting new message
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 51 19459 0.0  0.0 78116 2016 ? 
Ss   15:26   0:00 sendmail: Queue runner at 01:00:00
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19467 0.0  0.0 175528 3672 ?
Ss 15:26   0:00 /usr/sbin/httpd
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 48 19470 0.0  0.0 175528 2204 ? S
15:26   0:00 /usr/sbin/httpd
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19475 0.0  0.0 117212 1348 ?
Ss 15:26   0:00 crond
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19491 0.0  0.0 4108 600
pts/0 Ss+ 15:26   0:00 /sbin/mingetty /dev/tty1


We can get into the lxc through ?ssh?


2.       When selinux is Enforcing?lxc start bad
Th result of ?ps auxZ? is:
system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 20624 0.0  0.0 47624 1244 ? 
Ss   15:29   0:00 /usr/libexec/libvirt_lxc --name
system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 20625 0.0  0.0 17172 1036
pts/0 Ss+ 15:29   0:00 /sbin/init


                   Only /sbin/init process started, no else. This is the real
problem
                   There is avc error messages in
dmesg?/var/log/messages?/var/log/secure, and the same with selinux is Permissive

         Can anybody give some hints?


Here are some system information:

Kernel version


3.3.4


Libvirt version


0.9.13


Lxc guest image


Centos 6.3




Lxc xml info is:

<!--

WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE

OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:

  virsh edit instance-00004bd6

or other application using the libvirt API.

-->



<domain type='lxc'>

  <name>instance-00004bd6</name>

  <uuid>96eada0e-7ea0-4865-8271-3565811c8eb0</uuid>

  <memory unit='KiB'>524288</memory>

  <currentMemory unit='KiB'>524288</currentMemory>

  <vcpu placement='static'>1</vcpu>

  <os>

    <type arch='x86_64'>exe</type>

    <init>/sbin/init</init>

    <cmdline>console=ttyS0</cmdline>

  </os>

  <clock offset='utc'/>

  <on_poweroff>destroy</on_poweroff>

  <on_reboot>restart</on_reboot>

  <on_crash>destroy</on_crash>

  <devices>

    <emulator>/usr/libexec/libvirt_lxc</emulator>

    <filesystem type='mount' accessmode='passthrough'>

      <source
dir='/home/stack/nova_state/instances/instance-00004bd6/rootfs'/>

      <target dir='/'/>

    </filesystem>

    <interface type='bridge'>

      <mac address='fa:16:3e:09:00:a2'/>

      <source bridge='br100'/>

      <filterref
filter='nova-instance-instance-00004bd6-fa163e0900a2'>

        <parameter name='DHCPSERVER' value='10.0.0.1'/>

        <parameter name='IP' value='10.0.0.11'/>

        <parameter name='PROJMASK' value='255.255.254.0'/>

        <parameter name='PROJNET' value='10.0.0.0'/>

      </filterref>

    </interface>

    <console type='pty'>

      <target type='lxc' port='0'/>

    </console>

  </devices>

  <seclabel type='static' model='selinux'
relabel='yes'>

     <label>system_u:system_r:svirt_lxc_net_t:s0:c192,c392</label>

  </seclabel>



</domain>




Best Regard
Huangchaochang

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20130425/7bfb351a/attachment.htm>

Possibly Parallel Threads

Search for more possibly parallel threads

libvirt users - Apr 2013 - libvirt_lxc start problem when selinux enbale

[libvirt-users] libvirt_lxc start problem when selinux enbale

Possibly Parallel Threads

Wisdom of the Ancients