Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
libvirt-3.1.0 with selinux - problem and one solution to it
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
deagol
n00b
n00b


Joined: 12 Jul 2014
Posts: 19

PostPosted: Sat Apr 29, 2017 3:51 pm    Post subject: libvirt-3.1.0 with selinux - problem and one solution to it Reply with quote

I've a libvirt/qemu system running with selinux (mcs of course) on stable and just got the update to app-emulation/libvirt-3.1.0.
After the update all virtual systems were unable to start, due to missing "mounton" rulles. Here the relevant log lines:
Quote:
Apr 29 10:52:43 owl kernel: audit: type=1400 audit(1493455963.720:161): avc: denied { mounton } for pid=3193 comm="libvirtd" path="/" dev="sda3" ino=256 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
...
Apr 29 11:57:38 owl kernel: audit: type=1400 audit(1493459858.945:368): avc: denied { mounton } for pid=5137 comm="libvirtd" path="/run/libvirt/qemu/web.dev" dev="tmpfs" ino=1531 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0

It turns out that libvirt is indeed mounting the root filesystem and also the dev filesystem for setting up a namespace for each virtual instance. Now this seems to be more a feature for containers and it does not make much sense if you are starting the guest with a disc image as I do. And after starting the virtual instance with "setenforce 0" there is nothing mounted on /run/libvirt/qemu/web.dev. In fact I even have never even seen the mountpoint... it seems to be immediately removed again.
Now of course it should work granting libvirt the following permissions:
Code:
allow virtd_t root_t:dir mounton;
allow virtd_t svirt_var_run_t:dir mounton;
But since the namespace seems to be useless in my setup I looked for a way to prevent it to be created and get around of adding these rules. (Feels wrong for me to grant mounton, so that is something for the experts for me.)

Turns out that's indeed possible by overriding the new default for "namespaces" in
"/etc/libvirt/qemu.conf":
Code:
# To enhance security, QEMU driver is capable of creating private namespaces
# for each domain started. Well, so far only "mount" namespace is supported. If
# enabled it means qemu process is unable to see all the devices on the system,
# only those configured for the domain in question. Libvirt then manages
# devices entries throughout the domain lifetime. This namespace is turned on
# by default.
#namespaces = [ "mount" ]

# Add the following line to disable namespaces to be created:
namespaces = [ ]


The last two lines above are added by me. With that and a reboot (libvirtd restart should be sufficient) app-emulation/libvirt-3.1.0 is working again fine.
Now I'm not sure if that even qualifies as a bug. After all this is only a new feature with a for me wrong default setting.

Since I was also not able to find anything about that with google I want to share my findings with you here.
What do you think and has a better solution to the problem?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum