Hide Forgot
Basically if I add /etc/selinux/targeted/contexts/lxc_contexts lxc=system_u:system_r:svirt_lxc_net_t:s0 qemu=system_u:system_r:svirt_qemu_net_t:s0 kvm=system_u:system_r:svirt_qemu_net_t:s0 process=system_u:system_r:svirt_lxc_net_t:s0 file=system_u:object_r:svirt_sandbox_file_t:s0 content=system_u:object_r:virt_var_lib_t:s0 libvirt crashes. Adding in '"' fixes the problem. cat /etc/selinux/targeted/contexts/lxc_contexts lxc=system_u:system_r:svirt_lxc_net_t:s0 qemu="system_u:system_r:svirt_qemu_net_t:s0" kvm="system_u:system_r:svirt_qemu_net_t:s0" process="system_u:system_r:svirt_lxc_net_t:s0" file="system_u:object_r:svirt_sandbox_file_t:s0" content="system_u:object_r:virt_var_lib_t:s0" Debugging looks like libvirtd was reporting that it could not open the file without the "s
2013-10-29 17:41:27.564+0000: 3490: info : lxcSecurityInit:1342 : lxcSecurityInit (null) 2013-10-29 17:41:27.564+0000: 3490: debug : virSecurityDriverLookup:58 : name=(null) 2013-10-29 17:41:27.564+0000: 3490: debug : virSecurityDriverLookup:69 : Probed name=selinux 2013-10-29 17:41:27.564+0000: 3490: debug : virSecurityManagerNewDriver:81 : drv=0x7fdcdfadfa80 (selinux) virtDriver=LXC allowDiskFormatProbing=0 defaultConfined=0 requireConfined=0 2013-10-29 17:41:27.564+0000: 3490: debug : virObjectNew:199 : OBJECT_NEW: obj=0x7fdcc01972a0 classname=virSecurityManagerClass 2013-10-29 17:41:27.564+0000: 3490: debug : virSecuritySELinuxInitialize:563 : SELinuxInitialize LXC 2013-10-29 17:41:27.565+0000: 3490: debug : virConfReadFile:748 : filename=/etc/selinux/targeted/contexts/lxc_contexts 2013-10-29 17:41:27.565+0000: 3490: debug : virFileClose:90 : Closed fd 20 2013-10-29 17:41:27.565+0000: 3490: error : virConfParseValue:524 : configuration file syntax error: /etc/selinux/targeted/contexts/lxc_contexts:1: expecting a value 2013-10-29 17:41:27.565+0000: 3490: error : virSecuritySELinuxLXCInitialize:421 : cannot open SELinux lxc contexts file '/etc/selinux/targeted/contexts/lxc_contexts': No such file or directory 2013-10-29 17:41:27.566+0000: 3490: debug : virObjectUnref:256 : OBJECT_UNREF: obj=0x7fdcc01972a0 2013-10-29 17:41:27.566+0000: 3490: debug : virObjectUnref:258 : OBJECT_DISPOSE: obj=0x7fdcc01972a0 ====== end of log ===== Aborted (core dumped)
#0 0x00007f68e67f2199 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f68e67f38a8 in __GI_abort () at abort.c:89 #2 0x00007f68e6833d84 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f68e693f2f8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007f68e683b794 in malloc_printerr (ptr=<optimized out>, str=0x7f68e693b492 "free(): invalid pointer", action=3) at malloc.c:4956 #4 _int_free (av=0x7f68e6b7c760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3788 #5 0x00007f68e71b20c7 in selabel_close () from /lib64/libselinux.so.1 #6 0x00007f68e9eb4967 in virSecuritySELinuxSecurityDriverClose (mgr=<optimized out>) at security/security_selinux.c:811 #7 0x00007f68e9eb1263 in virSecurityManagerDispose (obj=0x7f68c8197460) at security/security_manager.c:236 #8 0x00007f68e9d1dbeb in virObjectUnref (anyobj=anyobj@entry=0x7f68c8197460) at util/virobject.c:262 #9 0x00007f68e9eb13df in virSecurityManagerNewDriver (drv=0x7f68ea1aba80 <virSecurityDriverSELinux>, virtDriver=virtDriver@entry=0x7f68d1092871 "LXC", allowDiskFormatProbing=<optimized out>, defaultConfined=<optimized out>, requireConfined=<optimized out>) at security/security_manager.c:99 #10 0x00007f68e9eb15a5 in virSecurityManagerNew (name=<optimized out>, virtDriver=virtDriver@entry=0x7f68d1092871 "LXC", allowDiskFormatProbing=allowDiskFormatProbing@entry=false, defaultConfined=<optimized out>, requireConfined=<optimized out>) at security/security_manager.c:186 #11 0x00007f68d108092c in lxcSecurityInit (cfg=0x7f68c8196320) at lxc/lxc_driver.c:1343 #12 lxcStateInitialize (privileged=<optimized out>, callback=<optimized out>, opaque=<optimized out>) at lxc/lxc_driver.c:1417 #13 0x00007f68e9daf0ba in virStateInitialize (privileged=true, callback=callback@entry=0x7f68ea7ed300 <daemonInhibitCallback>, opaque=opaque@entry=0x7f68eada0540) at libvirt.c:834 #14 0x00007f68ea7ed35b in daemonRunStateInit (opaque=opaque@entry=0x7f68eada0540) at libvirtd.c:906 #15 0x00007f68e9d2e58e in virThreadHelper (data=<optimized out>) at util/virthreadpthread.c:161 #16 0x00007f68e6f920f3 in start_thread (arg=0x7f68cfa28700) at pthread_create.c:309 #17 0x00007f68e68b625d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
libvirt-daemon-1.1.3-2.fc21.x86_64
Libvirt obviously shouldn't crash, it should exit with a clear error message. At the same time though, SELinux policy must *not* change the config file format in this way. It has historically always used "..." in this file and must continue todo so. We don't support loading data without the "..." quotes.
Right, we are shipping with quotes. I just had hand edited the file and left the quotes out.
The crash was fixed upstream with this change, so is in 1.2.0 release now in rawhide commit f1bdcb2be92b5545d5c33485431d7129a8098cd9 Author: Ján Tomko <jtomko> Date: Tue Oct 1 13:15:12 2013 +0200 selinux: Only close the selabel_handle once On selinux driver initialization failure (missing/incorrectly formatted contexts file), selabel_handle was closed twice. Introduced by 6159710.