[libvirt-users] libvirt_lxc: SELinux MCS
Matteo Piccinini
matteo.piccinini at jnet2000.it
Thu Oct 31 15:32:45 UTC 2013
Hello list,
my name is Matteo, i'm new on that list.
I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4.
Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS.
I try the secmodel type dynamic and static in the xml file but it didn't work, I received the following error:
error : virSecurityLabelDefParseXML:3228 : XML error: security label is missing
error : virNetSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused
I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label:
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
</seclabel>
or:
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
</seclabel>
I try to compile the last version from the master branch of git the result was always the same, the error was related to the SELinux driver not enabled.
The output from "virsh -c lxc:/// capabilities" doesn't show the secmodel and doi tag like the qemu/kvm have for the lxc driver the selinux driver.
How can I enable the SELinux driver for libvirt lxc in Red Hat 6.4?
SELinux is in enforcing mode.
Thanks in advance,
Matteo
More information about the libvirt-users
mailing list