deagol
n00b
Joined: 12 Jul 2014
Posts: 37
|
 Posted: Sat Apr 29, 2017 3:51 pm Post subject: libvirt-3.1.0 with selinux - problem and one solution to it |
 |
|
I've a libvirt/qemu system running with selinux (mcs of course) on stable and just got the update to app-emulation/libvirt-3.1.0.
After the update all virtual systems were unable to start, due to missing "mounton" rulles. Here the relevant log lines:
| Quote: | Apr 29 10:52:43 owl kernel: audit: type=1400 audit(1493455963.720:161): avc: denied { mounton } for pid=3193 comm="libvirtd" path="/" dev="sda3" ino=256 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
...
Apr 29 11:57:38 owl kernel: audit: type=1400 audit(1493459858.945:368): avc: denied { mounton } for pid=5137 comm="libvirtd" path="/run/libvirt/qemu/web.dev" dev="tmpfs" ino=1531 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0
|
It turns out that libvirt is indeed mounting the root filesystem and also the dev filesystem for setting up a namespace for each virtual instance. Now this seems to be more a feature for containers and it does not make much sense if you are starting the guest with a disc image as I do. And after starting the virtual instance with "setenforce 0" there is nothing mounted on /run/libvirt/qemu/web.dev. In fact I even have never even seen the mountpoint... it seems to be immediately removed again.
Now of course it should work granting libvirt the following permissions: | Code: | allow virtd_t root_t:dir mounton;
allow virtd_t svirt_var_run_t:dir mounton;
|
But since the namespace seems to be useless in my setup I looked for a way to prevent it to be created and get around of adding these rules. (Feels wrong for me to grant mounton, so that is something for the experts for me.)
Turns out that's indeed possible by overriding the new default for "namespaces" in
"/etc/libvirt/qemu.conf":
| Code: | # To enhance security, QEMU driver is capable of creating private namespaces
# for each domain started. Well, so far only "mount" namespace is supported. If
# enabled it means qemu process is unable to see all the devices on the system,
# only those configured for the domain in question. Libvirt then manages
# devices entries throughout the domain lifetime. This namespace is turned on
# by default.
#namespaces = [ "mount" ]
# Add the following line to disable namespaces to be created:
namespaces = [ ]
|
The last two lines above are added by me. With that and a reboot (libvirtd restart should be sufficient) app-emulation/libvirt-3.1.0 is working again fine.
Now I'm not sure if that even qualifies as a bug. After all this is only a new feature with a for me wrong default setting.
Since I was also not able to find anything about that with google I want to share my findings with you here.
What do you think and has a better solution to the problem? |
|
Networking & Security
