Hello. I trying to run kvm wih mls policy on RHEL6.5 and got strange error.
Steps:
1) installing with virtulaization software bundle;
2) install selinux mls and some more: xorg-x11-xauth policycoreutils-python selinux-policy-mls netlabel_tools setools-console;
3) enable mls in selinux/config, set permissive mode, autorelabel fs & reboot;
4) login by root@ssh with X (permissive mode still in effect) and create vm.
Now, after creating any vm, it can executed only with dynamic label. On trying to set static label (s0, s1 or any other with compartments) i got
an error:
2014-05-08 13:23:06.711+0000: 1607: error :virSecuritySELinuxGenSecurityLabel:552 : unable to allocate socket security context 's0': Invalid argument
Error not depending from emulation type (kvm or qemu), mls or targeted policy. RH docs describe sVirt as worked futures, and static labeling have no limitation. May i am doing it wrong?
Steps:
1) installing with virtulaization software bundle;
2) install selinux mls and some more: xorg-x11-xauth policycoreutils-python selinux-policy-mls netlabel_tools setools-console;
3) enable mls in selinux/config, set permissive mode, autorelabel fs & reboot;
4) login by root@ssh with X (permissive mode still in effect) and create vm.
Now, after creating any vm, it can executed only with dynamic label. On trying to set static label (s0, s1 or any other with compartments) i got
an error:
2014-05-08 13:23:06.711+0000: 1607: error :virSecuritySELinuxGenSecurityLabel:552 : unable to allocate socket security context 's0': Invalid argument
Error not depending from emulation type (kvm or qemu), mls or targeted policy. RH docs describe sVirt as worked futures, and static labeling have no limitation. May i am doing it wrong?
I tried to change root shell label to vm label (runcon -l s0 for example) but got same error... Any idea?
---
vlad f halilov
vlad f halilov
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
