selinux and static label for sVirt

selinux and static label for sVirt

[vlad halilov]

[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]

Hello. I trying to run kvm wih mls policy on RHEL6.5 and got strange error.

Steps:

1) installing with virtulaization software bundle;
2) install selinux mls and some more: xorg-x11-xauth policycoreutils-python
selinux-policy-mls netlabel_tools setools-console;
3) enable mls in selinux/config, set permissive mode, autorelabel fs &
reboot;
4) login by root@ssh with X (permissive mode still in effect) and create vm.

Now, after creating any vm, it can executed only with dynamic label. On
trying to set static label (s0, s1 or any other with compartments) i got
an error:

2014-05-08 13:23:06.711+0000: 1607: error
:virSecuritySELinuxGenSecurityLabel:552 : unable to allocate socket
security context 's0': Invalid argument

Error not depending from emulation type (kvm or qemu), mls or targeted
policy. RH docs describe sVirt as  worked futures, and static labeling have
no limitation. May i am doing it wrong?

I tried to change root shell label to vm label (runcon -l s0 for example)
but got same error... Any idea?

---
vlad f halilov

[-- Attachment #2: Type: text/html, Size: 1206 bytes --]

Re: selinux and static label for sVirt

[Paul Moore]

On Thursday, May 08, 2014 05:45:56 PM vlad halilov wrote:
> Hello. I trying to run kvm wih mls policy on RHEL6.5 and got strange error.
> 
> Steps:
> 
> 1) installing with virtulaization software bundle;
> 2) install selinux mls and some more: xorg-x11-xauth policycoreutils-python
> selinux-policy-mls netlabel_tools setools-console;
> 3) enable mls in selinux/config, set permissive mode, autorelabel fs &
> reboot;
> 4) login by root@ssh with X (permissive mode still in effect) and create vm.
> 
> Now, after creating any vm, it can executed only with dynamic label. On
> trying to set static label (s0, s1 or any other with compartments) i got
> an error:
> 
> 2014-05-08 13:23:06.711+0000: 1607: error
> 
> :virSecuritySELinuxGenSecurityLabel:552 : unable to allocate socket
> security context 's0': Invalid argument

If you are going to use static labels with sVirt you need to specify the 
entire SELinux label and not just the MLS field.  I recommend searching for 
the "Red Hat Enterprise Linux 6 Virtualization Security Guide" for more 
information on using sVirt with RHEL6.

-- 
paul moore
www.paul-moore.com

Re: selinux and static label for sVirt

[vlad halilov]

[-- Attachment #1: Type: text/plain, Size: 471 bytes --]

Yeah, that's my wrong. Now everything all right with full label context
'system_u:system_r:svirt_t:s1'. Thanks everyone.


On Fri, May 9, 2014 at 12:34 AM, Paul Moore <paul@paul-moore.com> wrote:

>
> If you are going to use static labels with sVirt you need to specify the
> entire SELinux label and not just the MLS field.  I recommend searching for
> the "Red Hat Enterprise Linux 6 Virtualization Security Guide" for more
> information on using sVirt with RHEL6.
>
>

[-- Attachment #2: Type: text/html, Size: 857 bytes --]