libvirt, selinux, moving images to ~/images does not work

Alexey Kardashevskiy <aik@xxxxxxxxx> · Mon, 08 Apr 2013 16:53:36 +1000

Hi!

I am trying libvirt on POWERPC64 with the default settings such as selinux 
enabled. It is all good till I move images out of /var/lib/libvirt/images/.

http://libvirt.org/drvqemu.html#securityselinux is saying that "If 
attempting to use disk images in another location, the user/administrator 
must ensure the directory has be given this requisite label. Likewise 
physical block devices must be labelled system_u:object_r:virt_image_t.".

So did I:

[root@vpl2 ~]# ls -dlZ /home/aik/virtimg /var/lib/libvirt/images
drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /home/aik/virtimg
drwxr-xr-x. root root system_u:object_r:virt_image_t:s0 /var/lib/libvirt/images

[root@vpl2 ~]# ls -lZ /home/aik/virtimg /var/lib/libvirt/images
/home/aik/virtimg:
-rwxrwxrwx. root root system_u:object_r:virt_content_t:s0 
Fedora-18-ppc64-DVD.iso

/var/lib/libvirt/images:
-rwxrwxrwx. root root system_u:object_r:virt_image_t:s0 fc18guest

However "virsh -c qemu:///system create libvirtguest-aik.xml" failes with
"avc:  denied  { dac_override }" and "avc:  denied  { dac_read_search }". 
Also, there is "user system_u is not defined" in /var/log/messages what is 
confusing as "semanage user -l" says it is there.

If I simply move Fedora-18-ppc64-DVD.iso to /var/lib/libvirt/images, the 
problem goes away and everything works fine.

I am running custom build 3.8 kernel and libvirt from git ("eebbb23 qemu: 
support URI syntax for NBD").

More detailed output is below, this is all from the host system.

What do I miss? Thank you.

[root@vpl2 ~]# tail /var/log/messages
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: 
could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user 
system_u is not defined
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could 
not create context structure
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could 
not create context structure
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: 
could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user 
system_u is not defined
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could 
not create context structure
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: could 
not create context structure
Apr  8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: 
could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid
Apr  8 16:47:48 vpl2 libvirtd[5041]: failed to connect to monitor socket: 
No such process

[root@vpl2 ~]# semanage user -l

                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range 
SELinux Roles

git_shell_u     user       s0         s0 
git_shell_r
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023 
staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023 
staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023 
system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023 
system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

[root@vpl2 ~]# tail /var/log/audit/audit.log
type=NETFILTER_CFG msg=audit(1365403596.177:4507): table=nat family=2 
entries=60
type=NETFILTER_CFG msg=audit(1365403596.177:4508): table=nat family=2 
entries=61
type=AVC msg=audit(1365403606.017:4509): avc:  denied  { dac_override } for 
 pid=8944 comm="qemu-system-ppc" capability=1 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4510): avc:  denied  { dac_read_search } 
for  pid=8944 comm="qemu-system-ppc" capability=2 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4511): avc:  denied  { dac_override } for 
 pid=8944 comm="qemu-system-ppc" capability=1 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4512): avc:  denied  { dac_read_search } 
for  pid=8944 comm="qemu-system-ppc" capability=2 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4513): avc:  denied  { dac_override } for 
 pid=8944 comm="qemu-system-ppc" capability=1 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4514): avc:  denied  { dac_read_search } 
for  pid=8944 comm="qemu-system-ppc" capability=2 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4515): avc:  denied  { dac_override } for 
 pid=8944 comm="qemu-system-ppc" capability=1 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability
type=AVC msg=audit(1365403606.017:4516): avc:  denied  { dac_read_search } 
for  pid=8944 comm="qemu-system-ppc" capability=2 
scontext=system_u:system_r:svirt_t:s0:c574,c809 
tcontext=system_u:system_r:svirt_t:s0:c574,c809 tclass=capability

[root@vpl2 ~]# libvirtd --version
libvirtd (libvirt) 1.0.3
[root@vpl2 ~]# yum info policycoreutils
[...]
Arch        : ppc64
Version     : 2.1.13
Release     : 59.fc18
Size        : 3.8 M

[root@vpl2 ~]# cat /etc/fedora-release
Fedora release 18 (Spherical Cow)

[root@vpl2 ~]# uname -a
Linux vpl2.ozlabs.ibm.com 3.8.0-kvm-64k-aik+ #376 SMP Mon Apr 8 14:40:40 
EST 2013 ppc64 ppc64 ppc64 GNU/Linux

[aik@vpl2 ~]$ cat libvirtguest-aik.xml
<domain type='kvm'>
	<name>AikLibvirtTest</name>
	<memory>2097152</memory>
	<vcpu>2</vcpu>
	<os>
		<type arch='ppc64' machine='pseries'>hvm</type>
		<boot dev='cdrom'/>
		<boot dev='hd'/>
	</os>
	<clock offset='utc'/>
	<devices>
		<emulator>/usr/local/bin/qemu-system-ppc64</emulator>
		<disk type='file' device='disk' >
			<driver name='qemu' type='raw'/>
			<source file='/var/lib/libvirt/images/fc18guest'/>
			<target dev='sda' bus='scsi'/>
		</disk>
		<disk type='file' device='cdrom' >
			<driver name='qemu' type='raw'/>
			<source file='/home/aik/virtimg/Fedora-18-ppc64-DVD.iso'/>
			<target dev='sdc' bus='scsi'/>
			<readonly/>
		</disk>
		<serial type='pty'>
			<target port='0'/>
		</serial>
		<console type='pty'>
			<target type='serial' port='0'/>
		</console>
		<memballoon model='virtio'/>
	</devices>

</domain>

--
Alexey

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users