* selinux and static label for sVirt
@ 2014-05-08 13:45 vlad halilov
2014-05-08 20:34 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: vlad halilov @ 2014-05-08 13:45 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]
Hello. I trying to run kvm wih mls policy on RHEL6.5 and got strange error.
Steps:
1) installing with virtulaization software bundle;
2) install selinux mls and some more: xorg-x11-xauth policycoreutils-python
selinux-policy-mls netlabel_tools setools-console;
3) enable mls in selinux/config, set permissive mode, autorelabel fs &
reboot;
4) login by root@ssh with X (permissive mode still in effect) and create vm.
Now, after creating any vm, it can executed only with dynamic label. On
trying to set static label (s0, s1 or any other with compartments) i got
an error:
2014-05-08 13:23:06.711+0000: 1607: error
:virSecuritySELinuxGenSecurityLabel:552 : unable to allocate socket
security context 's0': Invalid argument
Error not depending from emulation type (kvm or qemu), mls or targeted
policy. RH docs describe sVirt as worked futures, and static labeling have
no limitation. May i am doing it wrong?
I tried to change root shell label to vm label (runcon -l s0 for example)
but got same error... Any idea?
---
vlad f halilov
[-- Attachment #2: Type: text/html, Size: 1206 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: selinux and static label for sVirt
2014-05-08 13:45 selinux and static label for sVirt vlad halilov
@ 2014-05-08 20:34 ` Paul Moore
2014-05-09 5:33 ` vlad halilov
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2014-05-08 20:34 UTC (permalink / raw)
To: selinux, vlad halilov
On Thursday, May 08, 2014 05:45:56 PM vlad halilov wrote:
> Hello. I trying to run kvm wih mls policy on RHEL6.5 and got strange error.
>
> Steps:
>
> 1) installing with virtulaization software bundle;
> 2) install selinux mls and some more: xorg-x11-xauth policycoreutils-python
> selinux-policy-mls netlabel_tools setools-console;
> 3) enable mls in selinux/config, set permissive mode, autorelabel fs &
> reboot;
> 4) login by root@ssh with X (permissive mode still in effect) and create vm.
>
> Now, after creating any vm, it can executed only with dynamic label. On
> trying to set static label (s0, s1 or any other with compartments) i got
> an error:
>
> 2014-05-08 13:23:06.711+0000: 1607: error
>
> :virSecuritySELinuxGenSecurityLabel:552 : unable to allocate socket
> security context 's0': Invalid argument
If you are going to use static labels with sVirt you need to specify the
entire SELinux label and not just the MLS field. I recommend searching for
the "Red Hat Enterprise Linux 6 Virtualization Security Guide" for more
information on using sVirt with RHEL6.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-05-09 5:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-08 13:45 selinux and static label for sVirt vlad halilov
2014-05-08 20:34 ` Paul Moore
2014-05-09 5:33 ` vlad halilov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.