[Pkg-libvirt-maintainers] Bug#559356: Bug#559356: libvirt-bin: libvirtd fails to start (SELinux)
Luca Tettamanti
kronos.it at gmail.com
Fri Dec 4 11:19:57 UTC 2009
On Fri, Dec 4, 2009 at 10:33 AM, Guido Günther <agx at sigxcpu.org> wrote:
> Hi Luca,
> On Thu, Dec 03, 2009 at 10:41:04PM +0100, Luca Tettamanti wrote:
>> Package: libvirt-bin
>> Version: 0.7.4-1
>> Severity: normal
>>
>> Hello,
>> libvirtd fails to start when SELinux is active on the system; this the
>> output of the program:
>>
>> 22:31:41.249: warning : qemudStartup:907 : Unable to create cgroup for driver: No such device or address
>> 22:31:41.311: error : SELinuxInitialize:115 : cannot open SELinux virtual domain context file '/etc/selinux/default/contexts/virtual_domain_context': No such file or directory
>> 22:31:41.311: error : qemudSecurityInit:764 : Failed to start security driver
>> 22:31:41.311: error : virStateInitialize:832 : Initialization of QEMU state driver failed
>> 22:31:41.312: error : main:3155 : Driver state initialization failed
>> 22:31:41.312: warning : qemudDispatchSignalEvent:383 : Shutting down on signal 3
>>
>> /etc/selinux/default/contexts/virtual_domain_context is not provided by the
>> selinux-policy-default package...
> Fedora has it though:
>
> http://cvs.fedoraproject.org/viewvc//rpms/selinux-policy/F-12/selinux-policy.spec?view=markup
>
> Since I'm not running SELinux: could you have a look at the Fedora
> policy and see if the files are suitable?
With both virtual_domain_context and virtual_image_context from F12
the daemon starts, but then I'm unable to start any VM:
ERROR internal error unable to start guest: libvir: Security
Labeling error : unable to set security context
'system_u:system_r:svirt_t:s0:c206,c208': Invalid argument
libvir: Security Labeling error : unable to set security context
'system_u:object_r:svirt_image_t:s0:c206,c208' on
'/var/lib/libvirt/images/winxp-am.img': Invalid argument
I have virt.pp loaded, and the operation fails even with SELinux in
permissive mode :(
I'm unable to load virt.pp from F-12, it seems that other modules are required:
libsepol.permission_copy_callback: Module virt depends on permission
module_request in class system, not satisfied (No such file or
directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).
semodule: Failed!
I'm not _that_ expert with SELinux (and I'd rather not mess up my
server too much...), you may want to disable selinux support in the
package at least until an appropriate policy is available... feel free
to bounce this bug to the selinux guys.
Luca
More information about the Pkg-libvirt-maintainers
mailing list