Bug#688179: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver
clone 688179 -1 rettitle -1 LXC selinux support not working reopen -1 thanks Hi, On Sun, Jan 26, 2014 at 10:07:24PM +0100, Mateusz Matuszkowiak wrote: Hello again, I did some digging lately and I see that libvirtd won't start due to missing /etc/selinux/default/contexts/lxc_contexts file, which is provided by refpolicy in latest Fedora with a content as follows: Thanks for looking into this. I've opened a new bug since there's far too much crammed into this report already. Please use the new bug to track this issue. Laurent, do you have any selinux policy updates planned for this or are you focusing on qemu atm? Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688179: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver
Hi, On Thu, Dec 26, 2013 at 10:50:47PM +0100, Laurent Bigonville wrote: Le Thu, 26 Dec 2013 22:04:07 +0100, Guido Günther a...@sigxcpu.org a écrit : On Thu, Dec 26, 2013 at 04:36:52PM +0100, Laurent Bigonville wrote: tag 688179 + patch thanks Hi, Please apply the attached patch. I've just tested again and the VM's (using qemu) are starting properly and run in the expected context. The main reason for not enabling this upfront was that it triggered buts when selinux was not available. Did you by any chance test this as well? Cheers, IIRC the main issue was the fact that the selinux policy was too old. Well in fact both. While too old policy is an issue for selinux enabled systems I rember there were problems in the volumen handling parts with selinux compiled in but not enabled. But let's check and fix this in case it pops up again. Cheers and thanks for your patches, -- Guido P.S.: it'd be awesome if you could generate our patches with git-format-patch since this would give me the correct authorship information. Extra bonus points for adding a git-dch compatible Closes: # line. Anyway, I just retired and I can confirm that with selinux security driver compiled in libvirt and selinux disabled on the machine, I can still start VM's So I guess it's OK Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688179: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver
On Thu, Dec 26, 2013 at 04:36:52PM +0100, Laurent Bigonville wrote: tag 688179 + patch thanks Hi, Please apply the attached patch. I've just tested again and the VM's (using qemu) are starting properly and run in the expected context. The main reason for not enabling this upfront was that it triggered buts when selinux was not available. Did you by any chance test this as well? Cheers, -- Guido Cheers, Laurent Bigonville diff -Nru libvirt-1.2.0/debian/control libvirt-1.2.0/debian/control --- libvirt-1.2.0/debian/control 2013-12-17 23:14:46.0 +0100 +++ libvirt-1.2.0/debian/control 2013-12-26 16:33:45.0 +0100 @@ -36,6 +36,7 @@ libnetcf-dev (= 1:0.2.3-3~) [linux-any], libsanlock-dev [linux-any], libaudit-dev [linux-any], + libselinux1-dev (= 2.0.82) [linux-any], systemtap-sdt-dev [amd64 armel armhf i386 ia64 powerpc s390], # for --with-storage-sheepdog sheepdog [linux-any], @@ -88,6 +89,7 @@ Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Recommends: lvm2 [linux-any] +Breaks: selinux-policy-default ( 2:2.20131214-1~), selinux-policy-mls ( 2:2.20131214-1~) Description: library for interfacing with different virtualization systems Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The library aims at providing diff -Nru libvirt-1.2.0/debian/rules libvirt-1.2.0/debian/rules --- libvirt-1.2.0/debian/rules2013-12-17 23:14:46.0 +0100 +++ libvirt-1.2.0/debian/rules2013-12-26 15:56:00.0 +0100 @@ -29,6 +29,7 @@ WITH_SANLOCK= --with-sanlock WITH_INIT_SCRIPT= --with-init-script=systemd WITH_AUDIT = --with-audit + WITH_SELINUX= --with-selinux --with-secdriver-selinux ifneq (,$(findstring $(DEB_HOST_ARCH), amd64 armel armhf i386 ia64 powerpc s390)) WITH_DTRACE = --with-dtrace else @@ -61,6 +62,7 @@ WITH_NETCF = --without-netcf WITH_INIT_SCRIPT= --with-init-script=none WITH_AUDIT = --without-audit + WITH_SELINUX= --without-selinux WITH_DTRACE = --without-dtrace WITH_XEN= --without-xen WITH_LIBXL = --without-libxl @@ -88,7 +90,7 @@ $(WITH_STORAGE_RBD) \ $(WITH_INIT_SCRIPT) \ $(WITH_NUMA) \ - --without-selinux\ + $(WITH_SELINUX) \ --without-esx\ --without-phyp \ $(WITH_CAPNG)\ ___ Pkg-libvirt-maintainers mailing list pkg-libvirt-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688179: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver
Le Thu, 26 Dec 2013 22:04:07 +0100, Guido Günther a...@sigxcpu.org a écrit : On Thu, Dec 26, 2013 at 04:36:52PM +0100, Laurent Bigonville wrote: tag 688179 + patch thanks Hi, Please apply the attached patch. I've just tested again and the VM's (using qemu) are starting properly and run in the expected context. The main reason for not enabling this upfront was that it triggered buts when selinux was not available. Did you by any chance test this as well? Cheers, IIRC the main issue was the fact that the selinux policy was too old. Anyway, I just retired and I can confirm that with selinux security driver compiled in libvirt and selinux disabled on the machine, I can still start VM's So I guess it's OK Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688179: [Pkg-libvirt-maintainers] Bug#688179: libvirt: Please enable selinux security driver
Hi Laurent, On Thu, Sep 20, 2012 at 12:52:20AM +0200, Laurent Bigonville wrote: Source: libvirt Version: 0.9.12-5 Severity: wishlist Hi, Could you please enable the selinux security driver on libvirt compiled on linux. This bug is more a reminder bug. This shouldn't be implemented until #559356 is fixed. Somebody with interest in SELinux would need to fix up the necessary policies (as you noted). Are you in any way interested to do this? I'd be happy to do so but I'm lacking the time for any serioius Debian work at the moment. Cheers, -- Guido Cheers Laurent Bigonville -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash ___ Pkg-libvirt-maintainers mailing list pkg-libvirt-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-libvirt-maintainers -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org