[libvirt-users] libvirt on armhf with selinux driver
hi, recently i've been busy with libvirt(d) v1.2.0 on armhf and i see, even if selinux sec driver is enabled on the configure stage, the driver is not finally created. these configure parameters are: --with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux the /sys/fs/selinux is valid, selinux is running in permissive mode, got also libselinux DEV package installed, so no missing req. headers here. when trying to run libvirtd, i'm getting: error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled error : lxcSecurityInit:1461 : Failed to initialise security drivers error : virStateInitialize:854 : Initialisation of LXC state driver failed: unsupported configuration: Security driver selinux not enabled error : daemonRunStateInit:909 : Driver state initialisation failed someone got any clue what may be causing this? thanks, ivan gooten
On Mon, Jan 13, 2014 at 04:10:35PM +0100, Ivan Gooten wrote:
hi,
recently i've been busy with libvirt(d) v1.2.0 on armhf and i see, even if selinux sec driver is enabled on the configure stage, the driver is not finally created. these configure parameters are:
--with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
the /sys/fs/selinux is valid, selinux is running in permissive mode, got also libselinux DEV package installed, so no missing req. headers here.
when trying to run libvirtd, i'm getting:
error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled error : lxcSecurityInit:1461 : Failed to initialise security drivers error : virStateInitialize:854 : Initialisation of LXC state driver failed: unsupported configuration: Security driver selinux not enabled error : daemonRunStateInit:909 : Driver state initialisation failed
someone got any clue what may be causing this?
This likely means that 'configure' failed to detect selinux support. Look for any messages it prints in this regard. At the end, it will summarize whether it succesfully found it or not. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 13.01.2014 16:10, Ivan Gooten wrote:
hi,
recently i've been busy with libvirt(d) v1.2.0 on armhf and i see, even if selinux sec driver is enabled on the configure stage, the driver is not finally created. these configure parameters are:
--with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
the /sys/fs/selinux is valid, selinux is running in permissive mode, got also libselinux DEV package installed, so no missing req. headers here.
when trying to run libvirtd, i'm getting:
error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled error : lxcSecurityInit:1461 : Failed to initialise security drivers error : virStateInitialize:854 : Initialisation of LXC state driver failed: unsupported configuration: Security driver selinux not enabled error : daemonRunStateInit:909 : Driver state initialisation failed
someone got any clue what may be causing this?
thanks, ivan gooten
Are you sure selinux is enabled? Not enforcing, just enabled. Michal
On 01/13/2014 04:50 PM, Michal Privoznik wrote:
On 13.01.2014 16:10, Ivan Gooten wrote:
hi,
recently i've been busy with libvirt(d) v1.2.0 on armhf and i see, even if selinux sec driver is enabled on the configure stage, the driver is not finally created. these configure parameters are:
--with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
the /sys/fs/selinux is valid, selinux is running in permissive mode, got also libselinux DEV package installed, so no missing req. headers here.
when trying to run libvirtd, i'm getting:
error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled error : lxcSecurityInit:1461 : Failed to initialise security drivers error : virStateInitialize:854 : Initialisation of LXC state driver failed: unsupported configuration: Security driver selinux not enabled error : daemonRunStateInit:909 : Driver state initialisation failed
someone got any clue what may be causing this?
thanks, ivan gooten
Are you sure selinux is enabled? Not enforcing, just enabled.
Michal
hi, thank Michal and Daniel for your answers. so here i provide the configure summary: http://pastebin.com/un0UnFCP for me it looks okay, and below is is the sestatus: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 this is custom kernel 3.10 with debian testing a.k.a. jessie. also, my friend with the same configuration on rpi, except for his newer kernel, is having same stranginess. ivan
On 13.01.2014 19:27, Ivan Gooten wrote:
On 01/13/2014 04:50 PM, Michal Privoznik wrote:
On 13.01.2014 16:10, Ivan Gooten wrote:
hi,
recently i've been busy with libvirt(d) v1.2.0 on armhf and i see, even if selinux sec driver is enabled on the configure stage, the driver is not finally created. these configure parameters are:
--with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
the /sys/fs/selinux is valid, selinux is running in permissive mode, got also libselinux DEV package installed, so no missing req. headers here.
when trying to run libvirtd, i'm getting:
error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled error : lxcSecurityInit:1461 : Failed to initialise security drivers error : virStateInitialize:854 : Initialisation of LXC state driver failed: unsupported configuration: Security driver selinux not enabled error : daemonRunStateInit:909 : Driver state initialisation failed
someone got any clue what may be causing this?
thanks, ivan gooten
Are you sure selinux is enabled? Not enforcing, just enabled.
Michal
hi,
thank Michal and Daniel for your answers.
so here i provide the configure summary: http://pastebin.com/un0UnFCP
Have your configure found HAVE_SELINUX_LXC_CONTEXTS_PATH? grep HAVE_SELINUX_LXC_CONTEXTS_PATH config.h Moreover, does /etc/selinux/targeted/contexts/lxc_contexts exist on your system (the path may however change - I took it from my RHEL machine)? Michal
On 01/14/2014 10:32 AM, Michal Privoznik wrote:
On 13.01.2014 19:27, Ivan Gooten wrote:
On 01/13/2014 04:50 PM, Michal Privoznik wrote:
On 13.01.2014 16:10, Ivan Gooten wrote:
hi,
recently i've been busy with libvirt(d) v1.2.0 on armhf and i see, even if selinux sec driver is enabled on the configure stage, the driver is not finally created. these configure parameters are:
--with-selinux --with-secdriver-selinux --with-selinux-mount=/sys/fs/selinux
the /sys/fs/selinux is valid, selinux is running in permissive mode, got also libselinux DEV package installed, so no missing req. headers here.
when trying to run libvirtd, i'm getting:
error : virSecurityDriverLookup:78 : unsupported configuration: Security driver selinux not enabled error : lxcSecurityInit:1461 : Failed to initialise security drivers error : virStateInitialize:854 : Initialisation of LXC state driver failed: unsupported configuration: Security driver selinux not enabled error : daemonRunStateInit:909 : Driver state initialisation failed
someone got any clue what may be causing this?
thanks, ivan gooten
Are you sure selinux is enabled? Not enforcing, just enabled.
Michal
hi,
thank Michal and Daniel for your answers.
so here i provide the configure summary: http://pastebin.com/un0UnFCP Have your configure found HAVE_SELINUX_LXC_CONTEXTS_PATH?
grep HAVE_SELINUX_LXC_CONTEXTS_PATH config.h
Moreover, does /etc/selinux/targeted/contexts/lxc_contexts exist on your system (the path may however change - I took it from my RHEL machine)?
Michal
hi, $ grep HAVE_SELINUX_LXC_CONTEXTS_PATH config.h #define HAVE_SELINUX_LXC_CONTEXTS_PATH 1 unfortunately there is no "lxc_contexts" file, but i've grepped /etc/selinux for lxc's, mayby that will be helpfull: $ grep -iR lxc . Binary file ./default/policy/policy.29 matches ./default/modules/active/file_contexts:/var/run/libvirt/lxc(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./default/modules/active/file_contexts:/var/run/libvirt-sandbox(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./default/modules/active/file_contexts:/usr/libexec/libvirt_lxc -- system_u:object_r:virtd_lxc_exec_t:s0 ./default/modules/active/file_contexts.template:/var/run/libvirt/lxc(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./default/modules/active/file_contexts.template:/var/run/libvirt-sandbox(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./default/modules/active/file_contexts.template:/usr/libexec/libvirt_lxc -- system_u:object_r:virtd_lxc_exec_t:s0 Binary file ./default/modules/active/policy.kern matches ./default/contexts/files/file_contexts:/var/run/libvirt/lxc(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./default/contexts/files/file_contexts:/var/run/libvirt-sandbox(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./default/contexts/files/file_contexts:/usr/libexec/libvirt_lxc -- system_u:object_r:virtd_lxc_exec_t:s0 Binary file ./default/contexts/files/file_contexts.bin matches Binary file ./mls/policy/policy.29 matches Binary file ./mls/modules/active/modules/courier.pp matches Binary file ./mls/modules/active/modules/nut.pp matches Binary file ./mls/modules/active/modules/init.pp matches ./mls/modules/active/file_contexts:/var/run/libvirt/lxc(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./mls/modules/active/file_contexts:/var/run/libvirt-sandbox(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./mls/modules/active/file_contexts:/usr/libexec/libvirt_lxc -- system_u:object_r:virtd_lxc_exec_t:s0 ./mls/modules/active/file_contexts.template:/var/run/libvirt/lxc(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./mls/modules/active/file_contexts.template:/var/run/libvirt-sandbox(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./mls/modules/active/file_contexts.template:/usr/libexec/libvirt_lxc -- system_u:object_r:virtd_lxc_exec_t:s0 Binary file ./mls/modules/active/policy.kern matches ./mls/contexts/files/file_contexts:/var/run/libvirt/lxc(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./mls/contexts/files/file_contexts:/var/run/libvirt-sandbox(/.*)? system_u:object_r:virtd_lxc_var_run_t:s0 ./mls/contexts/files/file_contexts:/usr/libexec/libvirt_lxc -- system_u:object_r:virtd_lxc_exec_t:s0 Binary file ./mls/contexts/files/file_contexts.bin matches ivan
participants (3)
-
Daniel P. Berrange -
Ivan Gooten -
Michal Privoznik