[Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver

Mateusz Matuszkowiak zone at mescanef.net
Sun Jan 26 21:07:24 UTC 2014 

Hello again,

I did some digging lately and I see that libvirtd won't start due to
missing "/etc/selinux/default/contexts/lxc_contexts" file, which is
provided by refpolicy in latest Fedora with a content as follows:

---------
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
---------

The current refpolicy in Debian does not provide "svirt_sandbox_file_t"
context, prob due to missing libvirt-sandbox package.

// Fed's virt.te //
$ wc -l virt.te
1616 virt.te

// Debian's virt.te //
$ wc -l virt.te
1211 virt.te

The semodule virt would need to get updated - mayby SElinux master here? ;-)

With kind regards,
Mateusz



On Wed, Jan 15, 2014 at 1:01 AM, Mateusz Matuszkowiak <zone at mescanef.net>wrote:

> Hello,
>
> Trying to confirm that selinux driver is working on jessie but so far
> without luck:
>
> 2014-01-14 23:10:23.945+0000: 13996: info : libvirt version: 1.2.0
> 2014-01-14 23:10:23.945+0000: 13996: error : virSecurityDriverLookup:78 :
> unsupported configuration: Security driver selinux not enabled
> 2014-01-14 23:10:23.945+0000: 13996: error : lxcSecurityInit:1461 : Failed
> to initialize security drivers
> 2014-01-14 23:10:23.945+0000: 13996: error : virStateInitialize:854 :
> Initialization of LXC state driver failed: unsupported configuration:
> Security driver selinux not enabled
> 2014-01-14 23:10:23.946+0000: 13996: error : daemonRunStateInit:909 :
> Driver state initialization failed
>
> This is, to be exact, the latest '1.2.0-2' libvirt-bin package, and OFC
> selinux is enabled:
>
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             default
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
>
> Even though compilling it manually from sources it ends up on missing
> selinux driver. I know that this case has been also pushed by Ivan Gooten
> to the libvirt mailing list, if interested:
> https://www.redhat.com/archives/libvirt-users/2014-January/msg00025.html
>
> WKR,
> Mateusz
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-libvirt-maintainers/attachments/20140126/a344f817/attachment.html>

More information about the Pkg-libvirt-maintainers mailing list