Huang,Chaochang
2013-Apr-25 07:45 UTC
[libvirt-users] 答复: libvirt_lxc start problem when selinux enbale
Sorry ?There is avc error messages in dmesg ??? ??should be ?There is no avc error??? ???: Huang,Chaochang ????: 2013?4?25? 15:41 ???: 'libvir-list at redhat.com'; 'libvirt-users at redhat.com' ??: libvirt_lxc start problem when selinux enbale Hi?all? the problem came out when selinux was enforced in targeted+MCS I start lxc through virsh???virsh -c lxc:/// start instance-00004bd6? 1. When selinux is Permissive?lxc start is ok The result of ?Ps auxZ? is? system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 19218 0.0 0.0 47624 1244 ? Ss 15:26 0:00 /usr/libexec/libvirt_lxc --name system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19219 0.3 0.0 19276 1532 ? Ss 15:26 0:00 /sbin/init system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19406 0.0 0.0 177444 1332 ? Sl 15:26 0:00 /sbin/rsyslogd -i /var/run/sysl system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19420 0.0 0.0 64120 1144 ? Ss 15:26 0:00 /usr/sbin/sshd system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19427 0.0 0.0 22136 956 ? Ss 15:26 0:00 xinetd -stayalive -pidfile /var system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19434 0.0 0.0 64316 832 ? Ss 15:26 0:00 /usr/sbin/saslauthd -m /var/run system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19435 0.0 0.0 64316 600 ? S 15:26 0:00 /usr/sbin/saslauthd -m /var/run system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19450 0.0 0.0 82388 2392 ? Ss 15:26 0:00 sendmail: rejecting new message system_u:system_r:svirt_lxc_net_t:s0:c192,c392 51 19459 0.0 0.0 78116 2016 ? Ss 15:26 0:00 sendmail: Queue runner at 01:00:00 system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19467 0.0 0.0 175528 3672 ? Ss 15:26 0:00 /usr/sbin/httpd system_u:system_r:svirt_lxc_net_t:s0:c192,c392 48 19470 0.0 0.0 175528 2204 ? S 15:26 0:00 /usr/sbin/httpd system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19475 0.0 0.0 117212 1348 ? Ss 15:26 0:00 crond system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19491 0.0 0.0 4108 600 pts/0 Ss+ 15:26 0:00 /sbin/mingetty /dev/tty1 We can get into the lxc through ?ssh? 2. When selinux is Enforcing?lxc start bad Th result of ?ps auxZ? is: system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 20624 0.0 0.0 47624 1244 ? Ss 15:29 0:00 /usr/libexec/libvirt_lxc --name system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 20625 0.0 0.0 17172 1036 pts/0 Ss+ 15:29 0:00 /sbin/init Only /sbin/init process started, no else. This is the real problem There is avc error messages in dmesg?/var/log/messages?/var/log/secure, and the same with selinux is Permissive Can anybody give some hints? Here are some system information: Kernel version 3.3.4 Libvirt version 0.9.13 Lxc guest image Centos 6.3 Lxc xml info is: <!-- WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE OVERWRITTEN AND LOST. Changes to this xml configuration should be made using: virsh edit instance-00004bd6 or other application using the libvirt API. --> <domain type='lxc'> <name>instance-00004bd6</name> <uuid>96eada0e-7ea0-4865-8271-3565811c8eb0</uuid> <memory unit='KiB'>524288</memory> <currentMemory unit='KiB'>524288</currentMemory> <vcpu placement='static'>1</vcpu> <os> <type arch='x86_64'>exe</type> <init>/sbin/init</init> <cmdline>console=ttyS0</cmdline> </os> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>destroy</on_crash> <devices> <emulator>/usr/libexec/libvirt_lxc</emulator> <filesystem type='mount' accessmode='passthrough'> <source dir='/home/stack/nova_state/instances/instance-00004bd6/rootfs'/> <target dir='/'/> </filesystem> <interface type='bridge'> <mac address='fa:16:3e:09:00:a2'/> <source bridge='br100'/> <filterref filter='nova-instance-instance-00004bd6-fa163e0900a2'> <parameter name='DHCPSERVER' value='10.0.0.1'/> <parameter name='IP' value='10.0.0.11'/> <parameter name='PROJMASK' value='255.255.254.0'/> <parameter name='PROJNET' value='10.0.0.0'/> </filterref> </interface> <console type='pty'> <target type='lxc' port='0'/> </console> </devices> <seclabel type='static' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_lxc_net_t:s0:c192,c392</label> </seclabel> </domain> Best Regard Huangchaochang -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130425/66c38faf/attachment.htm>