Bug 753877 - Default selinux/libvirt configuration breaks libvirt when using LXC conainers.
Summary: Default selinux/libvirt configuration breaks libvirt when using LXC conainers.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-14 18:13 UTC by Lars Kellogg-Stedman
Modified: 2012-06-07 21:16 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-07 19:49:07 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Lars Kellogg-Stedman 2011-11-14 18:13:22 UTC 
When attempting to create LXC containers using libvirt:

  virt-install --connect lxc:/// -n lxctest -r 1024 --init=/bin/bash

Libvirt attempts to create the directory /selinux, which leads:

  ERROR    internal error guest failed to start: PATH=/bin:/sbin TERM=linux LIBVIRT_LXC_UUID=1b2b9265-d085-935a-475b-633e25876be0 LIBVIRT_LXC_NAME=lxctest /bin/bash
  12:56:53.936: 1: info : libvirt version: 0.9.6, package: 2.fc16 (Fedora Project, 2011-10-03-13:59:09, x86-15.phx2.fedoraproject.org)
  12:56:53.936: 1: error : lxcContainerMountBasicFS:448 : Failed to mkdir /selinux: Permission denied
  12:56:53.939: 7037: info : libvirt version: 0.9.6, package: 2.fc16 (Fedora Project, 2011-10-03-13:59:09, x86-15.phx2.fedoraproject.org)
  12:56:53.939: 7037: error : virCommandWait:2173 : internal error Child process (ip link set veth1 netns 7038) status unexpected: exit status 2

If one creates this directory, the rest of the process completes successfully:

  # mkdir /selinux
  Starting install...
  Creating domain...                                       |    0 B     00:00     
  Connected to domain lxctest
  Escape character is ^]
  bash: /root/.bashrc: Permission denied
  bash-4.2# 

But the container will be largely useless due to SELinux restrictions.  This shows up immediately:

  Nov 14 12:58:44 obliquity setroubleshoot: SELinux is preventing /usr/libexec/libvirt_lxc from read access on the directory selinux. For complete SELinux messages. run sealert -l f4836bb8-4bb6-4b1f-bf59-92d0a13b478a

This shows up if one runs 'ps' inside the container:

  Nov 14 13:00:27 obliquity setroubleshoot: SELinux is preventing /bin/bash from create access on the netlink_audit_socket Unknown. For complete SELinux messages. run sealert -l 92d074cb-4c3c-49fe-9c9d-97e8c9cb4a32
  Nov 14 13:00:27 obliquity setroubleshoot: SELinux is preventing /bin/bash from using the setpgid access on a process. For complete SELinux messages. run sealert -l 820f8c4c-6cb9-481f-9dc1-0387fe1ed3e9
  Nov 14 13:00:27 obliquity setroubleshoot: SELinux is preventing /bin/bash from using the setpgid access on a process. For complete SELinux messages. run sealert -l 820f8c4c-6cb9-481f-9dc1-0387fe1ed3e9
  Nov 14 13:00:27 obliquity setroubleshoot: SELinux is preventing /bin/ps from getattr access on the filesystem /. For complete SELinux messages. run sealert -l 8f9080a5-107a-437e-8d0f-5b59c1213c09
  Nov 14 13:00:27 obliquity setroubleshoot: SELinux is preventing /bin/ps from search access on the directory kernel. For complete SELinux messages. run sealert -l d25bce6f-17cd-4a1b-bcbf-1f58fbb5b25b

And this happens if one tries to run 'ifconfig':

  Nov 14 13:02:50 obliquity setroubleshoot: SELinux is preventing /bin/bash from create access on the netlink_audit_socket Unknown. For complete SELinux messages. run sealert -l 92d074cb-4c3c-49fe-9c9d-97e8c9cb4a32
  Nov 14 13:02:50 obliquity setroubleshoot: SELinux is preventing /bin/bash from using the setpgid access on a process. For complete SELinux messages. run sealert -l 820f8c4c-6cb9-481f-9dc1-0387fe1ed3e9
  Nov 14 13:02:50 obliquity setroubleshoot: SELinux is preventing /bin/bash from using the setpgid access on a process. For complete SELinux messages. run sealert -l 820f8c4c-6cb9-481f-9dc1-0387fe1ed3e9

Perhaps these restrictions are intentional, but the general experience is unpleasant.  It would be nice to have a simple solution other than disabling selinux.  Maybe an installable selinux profile for those of us working with container-style virtualization?
Comment 1 Fedora Admin XMLRPC Client 2011-11-30 19:33:18 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Fedora Admin XMLRPC Client 2011-11-30 19:36:53 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora Admin XMLRPC Client 2011-11-30 19:44:19 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Fedora Admin XMLRPC Client 2011-11-30 19:54:52 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 Cole Robinson 2012-06-07 19:49:07 UTC 
There is active work being done on this upstream, but it isn't backportable to to F16 since it's far too invasive. So closing as WONTFIX for f16
Comment 6 Lars Kellogg-Stedman 2012-06-07 19:54:03 UTC 
Is there an upstream issue or other source of information you can point at?  Should this be re-opened for F17?
Comment 7 Cole Robinson 2012-06-07 21:16:51 UTC 
Lars, best link I've got is:

http://libvirt.org/git/?p=libvirt.git;a=history;f=src/lxc;hb=HEAD

Changes to LXC in libvirt, notice all the ones talking about selinux.

However it looks like the bulk of these changes are in F17, so if you test there and hit this issue, or any different ones, please file F17 bug reports and we can evaluate backports.
Note You need to log in before you can comment on or make changes to this bug.