Hide Forgot
Description of problem: Set security_default_confined = 0 and security_require_confined = 1 in qemu.conf, and set dynamic selinux in domain xml, guest failed to start: # virsh dumpxml rhel7 ... <seclabel type='dynamic' model='selinux' relabel='yes'/> ... # virsh start rhel7 error: Failed to start domain rhel7 error: unsupported configuration: Unconfined guests are not allowed on this host Version-Release number of selected component: libvirt-2.0.0-5.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Config qemu.conf as below and restart libvirtd service: # grep '^security' /etc/libvirt/qemu.conf security_default_confined = 0 security_require_confined = 1 2. Start guest Actual results: Guest failed to start Expected results: Guest start successfully, because dac driver is enabled by default. Additional info: If set both selinux and dac security label in domain xml , guest will start successfully: # virsh dumpxml rhel7 ... <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='dac' relabel='yes'/> ... # virsh start rhel7 Domain rhel7 started
The "dac" driver cannot really be considered confinement, the error here is right.