[libvirt-users] How to enable SELinux driver for libvirt?

Hi guys, It seems libvirt disable SELinux driver by default. How to enable SELinux driver for libvirt? -- ------------ Jackie Best Regards

On 08/21/2014 01:38 AM, Qiang Guan wrote:
Hi guys,
It seems libvirt disable SELinux driver by default.
You need to provide more details to substantiate your claim. What platform are you running on, and what version of libvirt? Did you build it yourself or are you using the pre-built distro version? Fedora-based distributions (and that includes RHEL and CentOS) ship the distro version with SELinux support ON by default. However, actually using SELinux when the support is present depends on your /etc/libvirt/*.conf settings: qemu.conf uses SELinux by default, while lxc.conf has to be manually tweaked to turn on the use of SELinux (that's because proper labeling for an LXC container is a lot more involved). That said, the conf files only give defaults, and it is still possible to do per-domain use of SELinux (the virt-sandbox app is one that always tries to use SELinux labeling when creating LXC guests, regardless of the *.conf defaults).
How to enable SELinux driver for libvirt?
If you self-compiled, make sure you had the right devel libraries present to ensure the SELinux support is compiled in. If you are using a distro, you may want to file a support ticket with your distro provider. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

于 2014年08月21日 20:58, Eric Blake 写道:
Hi guys,
It seems libvirt disable SELinux driver by default. You need to provide more details to substantiate your claim. What
On 08/21/2014 01:38 AM, Qiang Guan wrote: platform are you running on, and what version of libvirt? Did you build it yourself or are you using the pre-built distro version?
Fedora-based distributions (and that includes RHEL and CentOS) ship the distro version with SELinux support ON by default. However, actually using SELinux when the support is present depends on your /etc/libvirt/*.conf settings: qemu.conf uses SELinux by default, while lxc.conf has to be manually tweaked to turn on the use of SELinux (that's because proper labeling for an LXC container is a lot more involved). That said, the conf files only give defaults, and it is still possible to do per-domain use of SELinux (the virt-sandbox app is one that always tries to use SELinux labeling when creating LXC guests, regardless of the *.conf defaults).
How to enable SELinux driver for libvirt? If you self-compiled, make sure you had the right devel libraries present to ensure the SELinux support is compiled in. If you are using a distro, you may want to file a support ticket with your distro provider.
Hi, Eric, thanks for help. I'm using ubuntu14.04 with libvirt of version 1.2.2 from ubuntu trusty source. I want to use SELinux labeling with dynamic type for my lxc which is started by libvirt API. I don't know whether SELinux support is compiled in the ubuntu release. How can I recognize whether SELinux is compiled in libvirt of a release version? If compiled, which configure need to be set to enable SELinux driver for libvirt? -- ------------ Jackie Best Regards

On 08/21/2014 08:37 PM, Qiang Guan wrote:
How to enable SELinux driver for libvirt? If you self-compiled, make sure you had the right devel libraries present to ensure the SELinux support is compiled in. If you are using a distro, you may want to file a support ticket with your distro provider.
Hi, Eric, thanks for help. I'm using ubuntu14.04 with libvirt of version 1.2.2 from ubuntu trusty source.
Ubuntu normally uses AppArmor, not SELinux. Again, libvirt is set up to use AppArmor by default when that is the distro's preferred security mechanism, but I'm not much of an Ubuntu user, so you may get better answers from others.
I want to use SELinux labeling with dynamic type for my lxc which is started by libvirt API.
I don't know whether SELinux support is compiled in the ubuntu release.
Probably not, for the same reason that AppArmor support is not compiled into Fedora releases.
How can I recognize whether SELinux is compiled in libvirt of a release version?
virsh --version=long On my machine, I see (among others): Miscellaneous: Daemon Nodedev SELinux Secrets Debug DTrace Readline Modular I'd expect AppArmor instead of SELinux on a debian-based build.
If compiled, which configure need to be set to enable SELinux driver for libvirt?
Configure probes for things and makes reasonable defaults; but if you want to enforce the issue, then use './configure --with-selinux=yes --with-secdriver-selinux=yes' to make configure forcefully error out if the dependencies aren't met, rather than silently omitting the dependency. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake
-
Qiang Guan