Debian Bug report logs - #736909
LXC selinux support not working

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: libvirt: Please enable selinux security driver

Date: Thu, 20 Sep 2012 00:52:20 +0200

Source: libvirt
Version: 0.9.12-5
Severity: wishlist

Hi,

Could you please enable the selinux security driver on libvirt compiled
on linux.

This bug is more a reminder bug. This shouldn't be implemented until
#559356 is fixed.

Cheers

Laurent Bigonville

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #12 received at [email protected] (full text, mbox, reply):

From: Guido Günther <[email protected]>

To: Laurent Bigonville <[email protected]>, [email protected]

Subject: Re: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver

Date: Thu, 20 Sep 2012 07:30:01 +0200

Hi Laurent,
On Thu, Sep 20, 2012 at 12:52:20AM +0200, Laurent Bigonville wrote:
> Source: libvirt
> Version: 0.9.12-5
> Severity: wishlist
> 
> Hi,
> 
> Could you please enable the selinux security driver on libvirt compiled
> on linux.
> 
> This bug is more a reminder bug. This shouldn't be implemented until
> #559356 is fixed.

Somebody with interest in SELinux would need to fix up the necessary
policies (as you noted). Are you in any way interested to do this? I'd
be happy to do so but I'm lacking the time for any serioius Debian work
at the moment.
Cheers,
 -- Guido

> 
> Cheers
> 
> Laurent Bigonville
> 
> -- System Information:
> Debian Release: wheezy/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 3.5-trunk-amd64 (SMP w/8 CPU cores)
> Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> [email protected]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers
> 

Message #17 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: Guido Günther <[email protected]>

Cc: [email protected]

Subject: Re: libvirt: Please enable selinux security driver

Date: Thu, 20 Sep 2012 11:41:09 +0200

Le Thu, 20 Sep 2012 07:30:01 +0200,
Guido Günther <[email protected]> a écrit :

> Hi Laurent,

Hey,

> 
> Somebody with interest in SELinux would need to fix up the necessary
> policies (as you noted). Are you in any way interested to do this? I'd
> be happy to do so but I'm lacking the time for any serioius Debian
> work at the moment.

Yeah, I'm already more or less busy with this :) I'm trying to get the
specific debian patches we have merged upstream when they are relevant.

On my laptop I have libvirt starting with the selinux security driver
enabled and the git HEAD of the refpolicy. KVM seems started in the
right context and the right category, but virt-manager is not showing
me that the selinux security driver is being used (only showing me
DAC). So I guess everything is not perfect yet.

Cheers

Laurent Bigonville

Message #22 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: Re: libvirt: Please enable selinux security driver

Date: Mon, 16 Dec 2013 00:07:06 +0100

Package: src:libvirt
Followup-For: Bug #688179

Hi,

I've just uploaded repolicy 2:2.20131214-1 that is now shipping the
appconfig file for libvirt.

Even if the policy is not 100% working in enforcing mode,
/etc/selinux/default/contexts/virtual_domain_context is now shipped in
the policy package and libvirt should now start properly.

Please consider enabling SELinux support in libvirt, you might want to
add a Breaks against the prior version of the policy, something like
should be ok.

Breaks: selinux-policy-default (<< 2:2.20131214-1~), selinux-policy-mls (<< 2:2.20131214-1~)

Cheers,

Laurent Bigonville

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Message #27 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: [email protected]

Subject: Re: libvirt: Please enable selinux security driver

Date: Thu, 26 Dec 2013 16:36:52 +0100

[Message part 1 (text/plain, inline)]

tag 688179 + patch
thanks

Hi,

Please apply the attached patch.

I've just tested again and the VM's (using qemu) are starting properly
and run in the expected context.

Cheers,

Laurent Bigonville

[688179.patch (text/x-patch, attachment)]

Message #34 received at [email protected] (full text, mbox, reply):

From: Guido Günther <[email protected]>

To: Laurent Bigonville <[email protected]>, [email protected]

Subject: Re: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver

Date: Thu, 26 Dec 2013 22:04:07 +0100

On Thu, Dec 26, 2013 at 04:36:52PM +0100, Laurent Bigonville wrote:
> tag 688179 + patch
> thanks
> 
> Hi,
> 
> Please apply the attached patch.
> 
> I've just tested again and the VM's (using qemu) are starting properly
> and run in the expected context.

The main reason for not enabling this upfront was that it triggered buts
when selinux was not available. Did you by any chance test this as well?
Cheers,
 -- Guido

> 
> Cheers,
> 
> Laurent Bigonville

> diff -Nru libvirt-1.2.0/debian/control libvirt-1.2.0/debian/control
> --- libvirt-1.2.0/debian/control	2013-12-17 23:14:46.000000000 +0100
> +++ libvirt-1.2.0/debian/control	2013-12-26 16:33:45.000000000 +0100
> @@ -36,6 +36,7 @@
>   libnetcf-dev (>= 1:0.2.3-3~) [linux-any],
>   libsanlock-dev [linux-any],
>   libaudit-dev [linux-any],
> + libselinux1-dev (>= 2.0.82) [linux-any],
>   systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390],
>  # for --with-storage-sheepdog
>   sheepdog [linux-any],
> @@ -88,6 +89,7 @@
>  Architecture: any
>  Depends: ${shlibs:Depends}, ${misc:Depends}
>  Recommends: lvm2 [linux-any]
> +Breaks: selinux-policy-default (<< 2:2.20131214-1~), selinux-policy-mls (<< 2:2.20131214-1~)
>  Description: library for interfacing with different virtualization systems
>   Libvirt is a C toolkit to interact with the virtualization capabilities
>   of recent versions of Linux (and other OSes). The library aims at providing
> diff -Nru libvirt-1.2.0/debian/rules libvirt-1.2.0/debian/rules
> --- libvirt-1.2.0/debian/rules	2013-12-17 23:14:46.000000000 +0100
> +++ libvirt-1.2.0/debian/rules	2013-12-26 15:56:00.000000000 +0100
> @@ -29,6 +29,7 @@
>    WITH_SANLOCK        = --with-sanlock
>    WITH_INIT_SCRIPT    =	--with-init-script=systemd
>    WITH_AUDIT          = --with-audit
> +  WITH_SELINUX        = --with-selinux --with-secdriver-selinux
>    ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc s390))
>        WITH_DTRACE     = --with-dtrace
>    else
> @@ -61,6 +62,7 @@
>    WITH_NETCF          = --without-netcf
>    WITH_INIT_SCRIPT    =	--with-init-script=none
>    WITH_AUDIT          = --without-audit
> +  WITH_SELINUX        = --without-selinux
>    WITH_DTRACE         = --without-dtrace
>    WITH_XEN            = --without-xen
>    WITH_LIBXL          = --without-libxl
> @@ -88,7 +90,7 @@
>  	$(WITH_STORAGE_RBD)      \
>  	$(WITH_INIT_SCRIPT)      \
>  	$(WITH_NUMA)             \
> -	--without-selinux        \
> +	$(WITH_SELINUX)          \
>  	--without-esx		 \
>  	--without-phyp           \
>  	$(WITH_CAPNG)		 \

> _______________________________________________
> Pkg-libvirt-maintainers mailing list
> [email protected]
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers

Message #39 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: Guido Günther <[email protected]>

Cc: [email protected]

Subject: Re: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver

Date: Thu, 26 Dec 2013 22:50:47 +0100

Le Thu, 26 Dec 2013 22:04:07 +0100,
Guido Günther <[email protected]> a écrit :

> On Thu, Dec 26, 2013 at 04:36:52PM +0100, Laurent Bigonville wrote:
> > tag 688179 + patch
> > thanks
> > 
> > Hi,
> > 
> > Please apply the attached patch.
> > 
> > I've just tested again and the VM's (using qemu) are starting
> > properly and run in the expected context.
> 
> The main reason for not enabling this upfront was that it triggered
> buts when selinux was not available. Did you by any chance test this
> as well? Cheers,

IIRC the main issue was the fact that the selinux policy was too old.

Anyway, I just retired and I can confirm that with selinux security
driver compiled in libvirt and selinux disabled on the machine, I can
still start VM's

So I guess it's OK

Cheers,

Laurent Bigonville

Message #44 received at [email protected] (full text, mbox, reply):

From: Guido Günther <[email protected]>

To: Laurent Bigonville <[email protected]>

Cc: [email protected]

Subject: Re: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver

Date: Sat, 28 Dec 2013 11:39:57 +0100

Hi,
On Thu, Dec 26, 2013 at 10:50:47PM +0100, Laurent Bigonville wrote:
> Le Thu, 26 Dec 2013 22:04:07 +0100,
> Guido Günther <[email protected]> a écrit :
> 
> > On Thu, Dec 26, 2013 at 04:36:52PM +0100, Laurent Bigonville wrote:
> > > tag 688179 + patch
> > > thanks
> > > 
> > > Hi,
> > > 
> > > Please apply the attached patch.
> > > 
> > > I've just tested again and the VM's (using qemu) are starting
> > > properly and run in the expected context.
> > 
> > The main reason for not enabling this upfront was that it triggered
> > buts when selinux was not available. Did you by any chance test this
> > as well? Cheers,
> 
> IIRC the main issue was the fact that the selinux policy was too old.

Well in fact both. While too old policy is an issue for selinux enabled
systems I rember there were problems in the volumen handling parts with
selinux compiled in but not enabled. But let's check and fix this in
case it pops up again.
Cheers and thanks for your patches,
 -- Guido

P.S.: it'd be awesome if you could generate our patches with
git-format-patch since this would give me the correct authorship
information. Extra bonus points for adding a git-dch compatible "Closes:
#" line.

> 
> Anyway, I just retired and I can confirm that with selinux security
> driver compiled in libvirt and selinux disabled on the machine, I can
> still start VM's
> 
> So I guess it's OK
> 
> Cheers,
> 
> Laurent Bigonville
> 

Message #49 received at [email protected] (full text, mbox, reply):

From: Guido Günther <[email protected]>

To: [email protected]

Subject: Bug#688179: fixed in libvirt 1.2.0-2

Date: Wed, 01 Jan 2014 21:21:32 +0000

Source: libvirt
Source-Version: 1.2.0-2

We believe that the bug you reported is fixed in the latest version of
libvirt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guido Günther <[email protected]> (supplier of updated libvirt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 01 Jan 2014 20:24:37 +0100
Source: libvirt
Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev libvirt-sanlock
Architecture: source i386 all
Version: 1.2.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Libvirt Maintainers <[email protected]>
Changed-By: Guido Günther <[email protected]>
Description: 
 libvirt-bin - programs for the libvirt library
 libvirt-dev - development files for the libvirt library
 libvirt-doc - documentation for the libvirt library
 libvirt-sanlock - library for interfacing with different virtualization systems
 libvirt0   - library for interfacing with different virtualization systems
 libvirt0-dbg - library for interfacing with different virtualization systems
Closes: 688179 731612 732666
Changes: 
 libvirt (1.2.0-2) unstable; urgency=medium
 .
   [ Guido Günther ]
   * [949fae6] Suggest systemd since it improves thinks like e.g. cgroup
     handling
   * [96f9aae] Make mounted cgroups configurable via /etc/default/libvirt-bin
     and check for memory cgroup on kernel command line. (Closes: #732666)
   * [ce356fe] Really remove "memory" from default mount list. Thanks to phep
     <[email protected]>
 .
   [ Laurent Bigonville ]
   * [13052e4] Enable selinux driver (Closes: #688179)
   * [a00df46] Switch LSB dependencies to avahi-daemon since only the later
     exists as native systemd service. (Closes: #731612)
Checksums-Sha1: 
 1a02d81859af798d8a8a4bf547d3875eb3850973 2557 libvirt_1.2.0-2.dsc
 aa5c08b4b2d54cefc61a5a43025d40045e02ccb6 47542 libvirt_1.2.0-2.debian.tar.gz
 bcd2b375e11f090a2af5f32d463f5fb933a0e029 3501698 libvirt-bin_1.2.0-2_i386.deb
 9288a84f486585ba76d2a0446d36dc439950f2ea 2454164 libvirt0_1.2.0-2_i386.deb
 b5adbf828a893ed381b8b0db6f97641269a90f2a 7617476 libvirt0-dbg_1.2.0-2_i386.deb
 3175cb99e04cedd48e92d823cf37d702f1a1d9ea 2696778 libvirt-doc_1.2.0-2_all.deb
 390f660d5266a4a8ba4615c7c366051e081fe4e9 1771800 libvirt-dev_1.2.0-2_i386.deb
 d2afb301b4a45e578c82c66c1934047968259563 1705884 libvirt-sanlock_1.2.0-2_i386.deb
Checksums-Sha256: 
 9bd013dde1cd6ce1b83a507a105e3f9038c768c2b78f522b310f13049e0b5451 2557 libvirt_1.2.0-2.dsc
 521b9b8b51dfcae046f16fbadb38dfd7a460863ba7ea2cd080c377e5e7734ab5 47542 libvirt_1.2.0-2.debian.tar.gz
 0dba4402db385240ff4ddc5a401e0bd8632545aa74cbdfa4fc3c25f049182421 3501698 libvirt-bin_1.2.0-2_i386.deb
 12fc270c0d6efdb3ac86ea53d1d2fecebfd6f9c08b2ffdab72d98475c9d70b65 2454164 libvirt0_1.2.0-2_i386.deb
 3dfa66d263e4180f8abc35024ca2dd7d5c835fdd9e026ac0fbc091416e715bfb 7617476 libvirt0-dbg_1.2.0-2_i386.deb
 08ce6c26383b3568e0fa834cebc6b3732c42e2fdb1794808c576efed1fe57ad7 2696778 libvirt-doc_1.2.0-2_all.deb
 be4bb736ba94d48bc4ea18b0e08000bc282ce78fe791487078b932949f3f6805 1771800 libvirt-dev_1.2.0-2_i386.deb
 a76f1ba557b31af2196af398b40625cfbb75351992e207e9574cc1d7d35fac27 1705884 libvirt-sanlock_1.2.0-2_i386.deb
Files: 
 ce96d4d5def16ac3a86c042ebf53e5be 2557 libs optional libvirt_1.2.0-2.dsc
 21c0564dfb5b4e2cdeee96c5d3022e7b 47542 libs optional libvirt_1.2.0-2.debian.tar.gz
 c3518a62ef1df73076baacb7f0a179a4 3501698 admin optional libvirt-bin_1.2.0-2_i386.deb
 b8efba0ea5c363c19f0991c3a6f49af0 2454164 libs optional libvirt0_1.2.0-2_i386.deb
 ca49f105739146e9cd7b15018b02ea27 7617476 debug extra libvirt0-dbg_1.2.0-2_i386.deb
 f9d2193f96a28100177fcb2aac173635 2696778 doc optional libvirt-doc_1.2.0-2_all.deb
 63ebbb192ea7471fd24341fe7d9b40d2 1771800 libdevel optional libvirt-dev_1.2.0-2_i386.deb
 0d4720bba2034a1fadf68b306207a10d 1705884 libs extra libvirt-sanlock_1.2.0-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFSxHqxn88szT8+ZCYRAonzAJ9oCgdcuk5+jDokcVJ3eeaBx7BezACfVaks
OUvQq/4JiSMco3l0EGKza94=
=1Fjh
-----END PGP SIGNATURE-----

Message #54 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: Guido Günther <[email protected]>

Cc: [email protected]

Subject: Re: libvirt: Please enable selinux security driver

Date: Thu, 2 Jan 2014 02:09:13 +0100

[Message part 1 (text/plain, inline)]

Hi,

Looks like my patch was missing a bit as the auto-detection is not
working as expected on machine that are not running selinux.

--with-selinux-mount=/sys/fs/selinux should be passed to the configure.

Quickly looking at the code it only affect LXC containers.

/selinux is gone now sid and jessie. In wheezy, both /selinux
and /sys/fs/selinux are exsting but the selinuxfs should already be
mounted on /sys/fs/selinux.

The attached patch fix this.

Cheers,

Laurent Bigonville

[0001-Pass-with-selinux-mount-sys-fs-selinux-to-the-config.patch (text/x-patch, attachment)]

Message #59 received at [email protected] (full text, mbox, reply):

From: Guido Günther <[email protected]>

To: Laurent Bigonville <[email protected]>

Cc: [email protected]

Subject: Re: libvirt: Please enable selinux security driver

Date: Sun, 5 Jan 2014 18:01:11 +0100

On Thu, Jan 02, 2014 at 02:09:13AM +0100, Laurent Bigonville wrote:
> Hi,
> 
> Looks like my patch was missing a bit as the auto-detection is not
> working as expected on machine that are not running selinux.
> 
> --with-selinux-mount=/sys/fs/selinux should be passed to the configure.
> 
> Quickly looking at the code it only affect LXC containers.
> 
> /selinux is gone now sid and jessie. In wheezy, both /selinux
> and /sys/fs/selinux are exsting but the selinuxfs should already be
> mounted on /sys/fs/selinux.
> 
> The attached patch fix this.

Pushed to git.debian.org, thanks!
Cheers,
 -- Guido

> 
> Cheers,
> 
> Laurent Bigonville

> From 6eeaf3c0c37ecfac268150287ba8697f5ca331ab Mon Sep 17 00:00:00 2001
> From: Laurent Bigonville <[email protected]>
> Date: Thu, 2 Jan 2014 01:55:12 +0100
> Subject: [PATCH] Pass --with-selinux-mount=/sys/fs/selinux to the configure
> 
> The buildd are not running selinux and this make the auto-detection code
> defaults to /selinux which is actually not existing anymore in sid.
> 
> This complete the fix for SELinux support.
> ---
>  debian/rules | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/debian/rules b/debian/rules
> index cf8e596..5b76cc7 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -29,7 +29,7 @@ ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
>    WITH_SANLOCK        = --with-sanlock
>    WITH_INIT_SCRIPT    =	--with-init-script=systemd
>    WITH_AUDIT          = --with-audit
> -  WITH_SELINUX        = --with-selinux --with-secdriver-selinux
> +  WITH_SELINUX        = --with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
>    ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc s390))
>        WITH_DTRACE     = --with-dtrace
>    else
> -- 
> 1.8.5.2
> 

Message #64 received at [email protected] (full text, mbox, reply):

From: Mateusz Matuszkowiak <[email protected]>

To: [email protected]

Subject: Re: libvirt: Please enable selinux security driver

Date: Wed, 15 Jan 2014 01:01:56 +0100

[Message part 1 (text/plain, inline)]

Hello,

Trying to confirm that selinux driver is working on jessie but so far
without luck:

2014-01-14 23:10:23.945+0000: 13996: info : libvirt version: 1.2.0
2014-01-14 23:10:23.945+0000: 13996: error : virSecurityDriverLookup:78 :
unsupported configuration: Security driver selinux not enabled
2014-01-14 23:10:23.945+0000: 13996: error : lxcSecurityInit:1461 : Failed
to initialize security drivers
2014-01-14 23:10:23.945+0000: 13996: error : virStateInitialize:854 :
Initialization of LXC state driver failed: unsupported configuration:
Security driver selinux not enabled
2014-01-14 23:10:23.946+0000: 13996: error : daemonRunStateInit:909 :
Driver state initialization failed

This is, to be exact, the latest '1.2.0-2' libvirt-bin package, and OFC
selinux is enabled:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Even though compilling it manually from sources it ends up on missing
selinux driver. I know that this case has been also pushed by Ivan Gooten
to the libvirt mailing list, if interested:
https://www.redhat.com/archives/libvirt-users/2014-January/msg00025.html

WKR,
Mateusz

[Message part 2 (text/html, inline)]

Message #69 received at [email protected] (full text, mbox, reply):

From: Mateusz Matuszkowiak <[email protected]>

To: [email protected]

Subject: Re: Bug#688179: libvirt: Please enable selinux security driver

Date: Sun, 26 Jan 2014 22:07:24 +0100

[Message part 1 (text/plain, inline)]

Hello again,

I did some digging lately and I see that libvirtd won't start due to
missing "/etc/selinux/default/contexts/lxc_contexts" file, which is
provided by refpolicy in latest Fedora with a content as follows:

---------
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
---------

The current refpolicy in Debian does not provide "svirt_sandbox_file_t"
context, prob due to missing libvirt-sandbox package.

// Fed's virt.te //
$ wc -l virt.te
1616 virt.te

// Debian's virt.te //
$ wc -l virt.te
1211 virt.te

The semodule virt would need to get updated - mayby SElinux master here? ;-)

With kind regards,
Mateusz



On Wed, Jan 15, 2014 at 1:01 AM, Mateusz Matuszkowiak <[email protected]>wrote:

> Hello,
>
> Trying to confirm that selinux driver is working on jessie but so far
> without luck:
>
> 2014-01-14 23:10:23.945+0000: 13996: info : libvirt version: 1.2.0
> 2014-01-14 23:10:23.945+0000: 13996: error : virSecurityDriverLookup:78 :
> unsupported configuration: Security driver selinux not enabled
> 2014-01-14 23:10:23.945+0000: 13996: error : lxcSecurityInit:1461 : Failed
> to initialize security drivers
> 2014-01-14 23:10:23.945+0000: 13996: error : virStateInitialize:854 :
> Initialization of LXC state driver failed: unsupported configuration:
> Security driver selinux not enabled
> 2014-01-14 23:10:23.946+0000: 13996: error : daemonRunStateInit:909 :
> Driver state initialization failed
>
> This is, to be exact, the latest '1.2.0-2' libvirt-bin package, and OFC
> selinux is enabled:
>
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             default
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
>
> Even though compilling it manually from sources it ends up on missing
> selinux driver. I know that this case has been also pushed by Ivan Gooten
> to the libvirt mailing list, if interested:
> https://www.redhat.com/archives/libvirt-users/2014-January/msg00025.html
>
> WKR,
> Mateusz
>
>
>
>

[Message part 2 (text/html, inline)]

Message #74 received at [email protected] (full text, mbox, reply):

From: Guido Günther <[email protected]>

To: Mateusz Matuszkowiak <[email protected]>, [email protected]

Cc: Laurent Bigonville <[email protected]>

Subject: Re: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver

Date: Tue, 28 Jan 2014 08:22:13 +0100

clone 688179 -1
rettitle -1 LXC selinux support not working
reopen -1
thanks

Hi,

On Sun, Jan 26, 2014 at 10:07:24PM +0100, Mateusz Matuszkowiak wrote:
> Hello again,
> 
> I did some digging lately and I see that libvirtd won't start due to
> missing "/etc/selinux/default/contexts/lxc_contexts" file, which is
> provided by refpolicy in latest Fedora with a content as follows:

Thanks for looking into this. I've opened a new bug since there's far
too much crammed into this report already. Please use the new bug to
track this issue. Laurent, do you have any selinux policy updates
planned for this or are you focusing on qemu atm?
Cheers,
 -- Guido

Message #91 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: [email protected]

Cc: [email protected], [email protected], Daniel J Walsh <[email protected]>

Subject: Missing appconfig file for libvirt and LXC containers

Date: Tue, 28 Jan 2014 11:15:53 +0100

Hi,

Libvirt selinux security driver is now enabled in debian unstable.
Qemu/KVM VM can be started properly now, but a bug[1] has been reported
that LXC containers are failing to start due to the missing
"lxc_contexts" appconfig file.

Looking at the fedora policy, it's indeed shipping that file with the
following content:

---------
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_sandbox_file_t:s0"
sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
---------

I only see minimal differences between the virt module in the refpolicy
and the one in the fedora one, and I'm maybe missing something, but it
seems that some types are missing in both the refpolicy and the fedora
policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
example.

So an idea how we could make libvirt happy with LXC containers?

Cheers,

Laurent Bigonville


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909

PS: could you please keep the 736909-forwarded CC while replying.

Message #101 received at [email protected] (full text, mbox, reply):

From: Daniel J Walsh <[email protected]>

To: Laurent Bigonville <[email protected]>, [email protected]

Cc: [email protected], [email protected]

Subject: Re: Missing appconfig file for libvirt and LXC containers

Date: Wed, 29 Jan 2014 08:13:43 -0500

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/28/2014 05:15 AM, Laurent Bigonville wrote:
> Hi,
> 
> Libvirt selinux security driver is now enabled in debian unstable. Qemu/KVM
> VM can be started properly now, but a bug[1] has been reported that LXC
> containers are failing to start due to the missing "lxc_contexts" appconfig
> file.
> 
> Looking at the fedora policy, it's indeed shipping that file with the 
> following content:
> 
> --------- process = "system_u:system_r:svirt_lxc_net_t:s0" content =
> "system_u:object_r:virt_var_lib_t:s0" file =
> "system_u:object_r:svirt_sandbox_file_t:s0" sandbox_kvm_process =
> "system_u:system_r:svirt_qemu_net_t:s0" sandbox_lxc_process =
> "system_u:system_r:svirt_lxc_net_t:s0" ---------
> 
> I only see minimal differences between the virt module in the refpolicy and
> the one in the fedora one, and I'm maybe missing something, but it seems
> that some types are missing in both the refpolicy and the fedora policy. I
> find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for example.
> 
> So an idea how we could make libvirt happy with LXC containers?
> 
> Cheers,
> 
> Laurent Bigonville
> 
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
> 
> PS: could you please keep the 736909-forwarded CC while replying.
> 

There in there,   I have attached the latest qemu policy.  We use
svirt_sandbox_file_t not sandbox_file_t (This is used for the type of sandbox
- -X containers).




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLo/ocACgkQrlYvE4MpobM7gwCgwzHws/wTFcOry2KGauJ06UIn
1ggAoN2F+xfdaCOvc/rOOm7UpaQL+PQq
=3UGI
-----END PGP SIGNATURE-----

[qemu.tgz (application/x-gzip, attachment)]

Message #117 received at [email protected] (full text, mbox, reply):

From: Miroslav Grepl <[email protected]>

To: Laurent Bigonville <[email protected]>

Cc: [email protected], [email protected], [email protected]

Subject: Re: [refpolicy] Missing appconfig file for libvirt and LXC containers

Date: Wed, 29 Jan 2014 22:12:56 +0100

On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> Hi,
>
> Libvirt selinux security driver is now enabled in debian unstable.
> Qemu/KVM VM can be started properly now, but a bug[1] has been reported
> that LXC containers are failing to start due to the missing
> "lxc_contexts" appconfig file.
>
> Looking at the fedora policy, it's indeed shipping that file with the
> following content:
>
> ---------
> process = "system_u:system_r:svirt_lxc_net_t:s0"
> content = "system_u:object_r:virt_var_lib_t:s0"
> file = "system_u:object_r:svirt_sandbox_file_t:s0"
> sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> ---------
>
> I only see minimal differences between the virt module in the refpolicy
> and the one in the fedora one, and I'm maybe missing something, but it
> seems that some types are missing in both the refpolicy and the fedora
> policy. I find no signs of "svirt_qemu_net_t" or "sandbox_file_t" for
> example.
I see all types are presented in virt.te,

https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib

> So an idea how we could make libvirt happy with LXC containers?
>
> Cheers,
>
> Laurent Bigonville
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736909
>
> PS: could you please keep the 736909-forwarded CC while replying.
> _______________________________________________
> refpolicy mailing list
> [email protected]
> http://oss.tresys.com/mailman/listinfo/refpolicy

Message #123 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: Miroslav Grepl <[email protected]>

Cc: [email protected], [email protected], [email protected]

Subject: Re: [refpolicy] Missing appconfig file for libvirt and LXC containers

Date: Wed, 29 Jan 2014 23:09:43 +0100

Le Wed, 29 Jan 2014 22:12:56 +0100,
Miroslav Grepl <[email protected]> a écrit :

Hi,

Thanks for your reply.

> On 01/28/2014 11:15 AM, Laurent Bigonville wrote:
> > Hi,
> >
> > Libvirt selinux security driver is now enabled in debian unstable.
> > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > reported that LXC containers are failing to start due to the missing
> > "lxc_contexts" appconfig file.
> >
> > Looking at the fedora policy, it's indeed shipping that file with
> > the following content:
> >
> > ---------
> > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > content = "system_u:object_r:virt_var_lib_t:s0"
> > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > ---------
> >
> > I only see minimal differences between the virt module in the
> > refpolicy and the one in the fedora one, and I'm maybe missing
> > something, but it seems that some types are missing in both the
> > refpolicy and the fedora policy. I find no signs of
> > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> I see all types are presented in virt.te,
> 
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib

Yes indeed, for some reasons I didn't found this /o\ The fact that
the .gitmodule of the selinux-policy repository is still pointing to
the refpolicy one is really confusing.

Anyway these types are not currently present in the upstream refpolicy,
so I guess I should try propose a patch to merge back the changes from
the fedora virt.pp module. Or do you have any plans to do this?

The delta between the two is unfortunately larger that I would have
expected.

Kind regards,

Laurent Bigonville

Message #133 received at [email protected] (full text, mbox, reply):

From: Evgeni Golov <[email protected]>

To: Laurent Bigonville <[email protected]>, [email protected]

Cc: Miroslav Grepl <[email protected]>, [email protected], [email protected]

Subject: Re: Bug#736909: [refpolicy] Missing appconfig file for libvirt and LXC containers

Date: Sun, 4 Dec 2016 14:02:59 +0100

Ohai,

On Wed, Jan 29, 2014 at 11:09:43PM +0100, Laurent Bigonville wrote:
> > > Libvirt selinux security driver is now enabled in debian unstable.
> > > Qemu/KVM VM can be started properly now, but a bug[1] has been
> > > reported that LXC containers are failing to start due to the missing
> > > "lxc_contexts" appconfig file.
> > >
> > > Looking at the fedora policy, it's indeed shipping that file with
> > > the following content:
> > >
> > > ---------
> > > process = "system_u:system_r:svirt_lxc_net_t:s0"
> > > content = "system_u:object_r:virt_var_lib_t:s0"
> > > file = "system_u:object_r:svirt_sandbox_file_t:s0"
> > > sandbox_kvm_process = "system_u:system_r:svirt_qemu_net_t:s0"
> > > sandbox_lxc_process = "system_u:system_r:svirt_lxc_net_t:s0"
> > > ---------
> > >
> > > I only see minimal differences between the virt module in the
> > > refpolicy and the one in the fedora one, and I'm maybe missing
> > > something, but it seems that some types are missing in both the
> > > refpolicy and the fedora policy. I find no signs of
> > > "svirt_qemu_net_t" or "sandbox_file_t" for example.
> > I see all types are presented in virt.te,
> > 
> > https://git.fedorahosted.org/cgit/selinux-policy.git/tree/virt.te?h=master_contrib
> 
> Yes indeed, for some reasons I didn't found this /o\ The fact that
> the .gitmodule of the selinux-policy repository is still pointing to
> the refpolicy one is really confusing.
> 
> Anyway these types are not currently present in the upstream refpolicy,
> so I guess I should try propose a patch to merge back the changes from
> the fedora virt.pp module. Or do you have any plans to do this?
> 
> The delta between the two is unfortunately larger that I would have
> expected.

Upstream now ships an lxc_contexts file [1], but I have no idea how to test it in libvirt properly?

Regards
Evgeni

[1] https://github.com/TresysTechnology/refpolicy/commit/ca6fefc3c899a39a95402a82e2beda6cb5a98aa9

Message #139 received at [email protected] (full text, mbox, reply):

From: Russell Coker <[email protected]>

To: [email protected]

Cc: Laurent Bigonville <[email protected]>, Guido Günther <[email protected]>, Mateusz Matuszkowiak <[email protected]>, Evgeni Golov <[email protected]>

Subject: where are we at with this?

Date: Tue, 27 Dec 2016 23:20:48 +1100

The lxc_contents file is in selinux-policy-default and a quick check indicates 
that the policy might be ok.

What do we have to do to test it?  I can provide root on a test system to 
anyone who wants to help test this.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Message #144 received at [email protected] (full text, mbox, reply):

From: Laurent Bigonville <[email protected]>

To: [email protected], [email protected]

Cc: Guido Günther <[email protected]>, Mateusz Matuszkowiak <[email protected]>, Evgeni Golov <[email protected]>

Subject: Re: where are we at with this?

Date: Tue, 27 Dec 2016 21:49:47 +0100

Hi Russell,


Le 27/12/16 à 13:20, Russell Coker a écrit :
> The lxc_contents file is in selinux-policy-default and a quick check indicates
> that the policy might be ok.
>
> What do we have to do to test it?  I can provide root on a test system to
> anyone who wants to help test this.
>

The initial bug, the fact that libvirt is not starting is fixed at two 
different level, libvirt now checks if the lxc_context file is present 
or not before doing any SELinux operations and it's also fixed now that 
the policy ships this file.

But I just tried now (with the refpolicy) and all the processes are 
running under "system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023" (not sure 
it's the one expected here), so we might have an other problem here.

My test case is quite easy, I've debootstrapped a debian unstable 
(debootstrap sid /tmp/sid). Then in virt-manager, I've added a new "LXC" 
connection and then created a new "system" container. And then started 
that container.

Send a report that this bug log contains spam.