| View previous topic :: View next topic |
| Author |
Message |
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 28
|
 Posted: Wed May 10, 2023 3:28 pm Post subject: [SOLVED] SELinux and libvirt |
 |
|
Hello there.
When starting up a VM there's an error:
| Code: | | libvirt.libvirtError: unable to set socket security context 'system_u:system_r:svirt_t:s0:c633,c705': Invalid argument |
Then in dmesg and audit log I can see:
| Code: | [ 1180.660981 ] SELinux: Context system_u:object_r:svirt_image_t:s0:c289,c490 is not valid (left unmapped).
[ 1197.497143 ] SELinux: Context system_u:object_r:svirt_image_t:s0:c553,c779 is not valid (left unmapped).
[ 1522.887956 ] SELinux: Context system_u:object_r:svirt_image_t:s0:c133,c572 is not valid (left unmapped).
[ 2712.563955 ] SELinux: Context system_u:object_r:svirt_image_t:s0:c407,c884 is not valid (left unmapped).
---------------
type=VIRT_MACHINE_ID msg=audit(1683731628.980:375): pid=6035 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t msg='virt=kvm vm="test"
uuid=04650a55-917d-40c3-a4f6-51a3819f3b4b vm-ctx=system_u:system_r:svirt_t:s0:c407,c884
img-ctx=system_u:object_r:svirt_image_t:s0:c407,c884 model=selinux exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=VIRT_MACHINE_ID msg=audit(1683731628.980:376): pid=6035 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t msg='virt=kvm vm="test"
uuid=04650a55-917d-40c3-a4f6-51a3819f3b4b vm-ctx=+77:+77 img-ctx=+77:+77 model=dac exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset" |
SELinux is running with the targeted policy combined with a custom policy module of mine.
When trying to solve the issue via a policy module using audit2allow it gives a constraint violation rule.
I know it's a problem with sockets, but i've checked and the libvirt sockets in /var/run/libvirt are all mapped. Don't really know in what direction to go with this.
Can anyone give any guidance?
Note: VMs are confined.
Last edited by BurningMemory on Tue May 16, 2023 3:27 am; edited 2 times in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu May 11, 2023 9:45 am Post subject: |
|
|
| Quote: |
SELinux is running with the targeted policy combined with a custom policy module of mine.
|
I think you are running MLS not targeted.Do you need mls?
| Quote: |
When trying to solve the issue via a policy module using audit2allow it gives a constraint violation rule.
|
You can try
| Code: |
/etc/selinux/semanage.conf==>>
expand-check=0
|
_________________
 |
|
| Back to top |
|
|
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 28
|
| Posted: Thu May 11, 2023 10:42 am Post subject: |
|
|
| alamahant wrote: | | Quote: |
SELinux is running with the targeted policy combined with a custom policy module of mine.
|
I think you are running MLS not targeted.Do you need mls?
[/code] |
No, I'm not running MLS. Will try to put the line in the config.
Edit: Actually, i've discovered something interesting. I'm not allowed to restart libvirtd while in enforcing mode regardless of my context, uid, and groups. |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu May 11, 2023 11:31 am Post subject: |
|
|
| Quote: |
No, I'm not running MLS. Will try to put the line in the config.
|
If do plz dont forget to relabel the filesystem.
This
:s0:c633,c705
is MLS
_________________
|
|
| Back to top |
|
|
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 28
|
| Posted: Thu May 11, 2023 12:12 pm Post subject: |
|
|
| alamahant wrote: | | Quote: |
No, I'm not running MLS. Will try to put the line in the config.
|
If do plz dont forget to relabel the filesystem.
This
:s0:c633,c705
is MLS |
I know that this is the part of MLS context. Here is the sestatus.
| Code: | SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: disabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33 |
So, as far as audit goes I think libvirt is giving SELinux invalid context and SELinux is accepting it but not going to actually use it.
The action itself succeeds as seen in the logs snippet in the first message, although it says that the context is not valid.
Changing the config didn't really change anything even after relabeling the whole filesystem, although I haven't tried to restart yet. |
|
| Back to top |
|
|
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
| Posted: Thu May 11, 2023 8:44 pm Post subject: |
|
|
The problem here probably is, that you are not using MLS...
I'm using libvirt with selinux for quite some years.
One of the few things I remember from setting that up is, that I had to switch to MLS for libvirt:
Each VM will use its own sensitivity level, targeted is thus insufficient.
Your error messsge also has a label which looks like MLS for me, the ":s0" part. So when you are not using MLS the error message makes sense, doesn't it? |
|
| Back to top |
|
|
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 28
|
| Posted: Fri May 12, 2023 3:57 am Post subject: |
|
|
| deagol wrote: | The problem here probably is, that you are not using MLS...
Each VM will use its own sensitivity level, targeted is thus insufficient.
Your error messsge also has a label which looks like MLS for me, the ":s0" part. So when you are not using MLS the error message makes sense, doesn't it? |
Indeed, it does. Although, I'm wondering if there is any way to stay without MLS.
I'm also not sure how to set up MLS. Did you have to change anything other than to enable it? |
|
| Back to top |
|
|
deagol
n00b
Joined: 12 Jul 2014
Posts: 61
|
| Posted: Sun May 14, 2023 9:04 pm Post subject: |
|
|
| BurningMemory wrote: | Indeed, it does. Although, I'm wondering if there is any way to stay without MLS.
I'm also not sure how to set up MLS. Did you have to change anything other than to enable it? |
I also tried to stick to targeted. But I came to the conclusion that this looked much harder than to try out MPLS.
As far as I remember the switch was straight forward. (MPLS was still officially unsupported. But I never had any noteworthy issues.) |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Sun May 14, 2023 10:17 pm Post subject: |
|
|
This is wrong.Plain and simple.If libvirt forces you to use MLS then plz open a bug report with selinux Gentoo team.
_________________
|
|
| Back to top |
|
|
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 28
|
| Posted: Tue May 16, 2023 3:27 am Post subject: |
|
|
| alamahant wrote: | | This is wrong.Plain and simple.If libvirt forces you to use MLS then plz open a bug report with selinux Gentoo team. |
Thank you for pointing that out, i was suspecting it to be a bug but wasn't sure. |
|
| Back to top |
|
|
BurningMemory
n00b
Joined: 17 Jan 2023
Posts: 28
|
|
| Back to top |
|
|
|
Networking & Security
