Hiall

 

         the problem came out when selinux was enforced in targeted+MCS

         I start lxc through virsh——“virsh -c lxc:/// start  instance-00004bd6

 

1.       When selinux is Permissivelxc start is ok

The result of “Ps auxZ” is

system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 19218 0.0  0.0 47624 1244 ?  Ss   15:26   0:00 /usr/libexec/libvirt_lxc --name

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19219 0.3  0.0 19276 1532 ? Ss  15:26   0:00 /sbin/init

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19406 0.0  0.0 177444 1332 ? Sl 15:26   0:00 /sbin/rsyslogd -i /var/run/sysl

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19420 0.0  0.0 64120 1144 ? Ss  15:26   0:00 /usr/sbin/sshd

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19427 0.0  0.0 22136 956 ? Ss   15:26   0:00 xinetd -stayalive -pidfile /var

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19434 0.0  0.0 64316 832 ? Ss   15:26   0:00 /usr/sbin/saslauthd -m /var/run

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19435 0.0  0.0 64316 600 ? S    15:26   0:00 /usr/sbin/saslauthd -m /var/run

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19450 0.0  0.0 82388 2392 ? Ss  15:26   0:00 sendmail: rejecting new message

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 51 19459 0.0  0.0 78116 2016 ?  Ss   15:26   0:00 sendmail: Queue runner@01:00:00

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19467 0.0  0.0 175528 3672 ? Ss 15:26   0:00 /usr/sbin/httpd

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 48 19470 0.0  0.0 175528 2204 ? S    15:26   0:00 /usr/sbin/httpd

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19475 0.0  0.0 117212 1348 ? Ss 15:26   0:00 crond

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 19491 0.0  0.0 4108 600 pts/0 Ss+ 15:26   0:00 /sbin/mingetty /dev/tty1

 

We can get into the lxc through “ssh”

 

2.       When selinux is Enforcinglxc start bad

Th result of “ps auxZ” is:

system_u:system_r:virtd_lxc_t:s0-s0:c0.c1023 root 20624 0.0  0.0 47624 1244 ?  Ss   15:29   0:00 /usr/libexec/libvirt_lxc --name

system_u:system_r:svirt_lxc_net_t:s0:c192,c392 root 20625 0.0  0.0 17172 1036 pts/0 Ss+ 15:29   0:00 /sbin/init

 

                   Only /sbin/init process started, no else. This is the real problem

                   There is avc error messages in dmesg/var/log/messages/var/log/secure, and the same with selinux is Permissive

 

         Can anybody give some hints?

 

Here are some system information:

Kernel version

3.3.4

Libvirt version

0.9.13

Lxc guest image

Centos 6.3

 

Lxc xml info is:

<!--

WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE

OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:

  virsh edit instance-00004bd6

or other application using the libvirt API.

-->

 

<domain type='lxc'>

  <name>instance-00004bd6</name>

  <uuid>96eada0e-7ea0-4865-8271-3565811c8eb0</uuid>

  <memory unit='KiB'>524288</memory>

  <currentMemory unit='KiB'>524288</currentMemory>

  <vcpu placement='static'>1</vcpu>

  <os>

    <type arch='x86_64'>exe</type>

    <init>/sbin/init</init>

    <cmdline>console=ttyS0</cmdline>

  </os>

  <clock offset='utc'/>

  <on_poweroff>destroy</on_poweroff>

  <on_reboot>restart</on_reboot>

  <on_crash>destroy</on_crash>

  <devices>

    <emulator>/usr/libexec/libvirt_lxc</emulator>

    <filesystem type='mount' accessmode='passthrough'>

      <source dir='/home/stack/nova_state/instances/instance-00004bd6/rootfs'/>

      <target dir='/'/>

    </filesystem>

    <interface type='bridge'>

      <mac address='fa:16:3e:09:00:a2'/>

      <source bridge='br100'/>

      <filterref filter='nova-instance-instance-00004bd6-fa163e0900a2'>

        <parameter name='DHCPSERVER' value='10.0.0.1'/>

        <parameter name='IP' value='10.0.0.11'/>

        <parameter name='PROJMASK' value='255.255.254.0'/>

        <parameter name='PROJNET' value='10.0.0.0'/>

      </filterref>

    </interface>

    <console type='pty'>

      <target type='lxc' port='0'/>

    </console>

  </devices>

  <seclabel type='static' model='selinux' relabel='yes'>

     <label>system_u:system_r:svirt_lxc_net_t:s0:c192,c392</label>

  </seclabel>

 

</domain>

 

 

Best Regard

Huangchaochang