On Thu, Oct 31, 2013 at 04:32:45PM +0100, Matteo Piccinini wrote: > Hello list, > > my name is Matteo, i'm new on that list. > I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. > Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS. > I try the secmodel type dynamic and static in the xml file but it didn't work, I received the following error: > > error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing > error : virNetSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused > > I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label: > > <seclabel type='static' model='selinux' relabel='no'> > <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> > </seclabel> > > or: > > <seclabel type='dynamic' model='selinux' relabel='yes'> > <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> > </seclabel> > > I try to compile the last version from the master branch of git the result was always the same, the error was related to the SELinux driver not enabled. > The output from "virsh -c lxc:/// capabilities" doesn't show the secmodel and doi tag like the qemu/kvm have for the lxc driver the selinux driver. > > How can I enable the SELinux driver for libvirt lxc in Red Hat 6.4? RHEL-6.4 is too old to have support for SELinxuw with LXC. Specifically its libselinux lacks the selinux_lxc_contexts_path() method that libvirt requires, hence libvirt will disable its support for SELinux with LXC when built on RHEL-6.4. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
