840110 – app-emulation/virt-manager: can't start VM, reporting MLS related error, in system using Strict SELINUXTYPE

Bug 840110 - app-emulation/virt-manager: can't start VM, reporting MLS related error, in system using Strict SELINUXTYPE

Summary: app-emulation/virt-manager: can't start VM, reporting MLS related error, in s...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal major
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-22 11:49 UTC by labyrithfind
Modified:	2022-09-17 19:57 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description labyrithfind 2022-04-22 11:49:03 UTC

Hi Team,

I'm using Strict config in SELInux setup, and today I've configured to setup use for the virt-manager in using the VM.

After putting some custom policy to let all AVC block entries allowed, there seems one last step, to get startup VM

Message that Virt-Manager complaining during start:
Error starting domain: unable to set socket security context 'system_u:system_r:svirt_t:s0:c667,c918': Invalid argument

Logs generated by syslog at realtime:
Apr 22 09:48:32 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c667,c918 is not valid (left unmapped).

If we change current SELinux mode to permissive in runtime, then the syslog message about this `not valid`, would still occur, but the VM can finally start without issue.

It would weird why a system running on Strict SELinux, would reporting MLS like errors. Maybe there'd have some issues in sec-policy/selinux-virt ?

My current using all unstable branch of the SELinux policies:
sec-policy/selinux-virt-2.20220106-r3::gentoo
sec-policy/selinux-base-2.20220106-r3::gentoo


Regards

Comment 1 labyrithfind 2022-04-22 12:17:09 UTC

These are the tried to start several times in less then 10 seconds.
Obviously the MLS category info is completely random:

Apr 22 12:15:15 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c48,c571 is not valid (left unmapped).
Apr 22 12:15:16 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c622,c686 is not valid (left unmapped).
Apr 22 12:15:17 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c686,c767 is not valid (left unmapped).
Apr 22 12:15:18 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c566,c860 is not valid (left unmapped).
Apr 22 12:15:19 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c660,c758 is not valid (left unmapped).
Apr 22 12:15:19 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c339,c937 is not valid (left unmapped).
Apr 22 12:15:20 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c574,c748 is not valid (left unmapped).
Apr 22 12:15:21 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c861,c925 is not valid (left unmapped).
Apr 22 12:15:22 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c24,c954 is not valid (left unmapped).
Apr 22 12:15:23 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c193,c829 is not valid (left unmapped).
Apr 22 12:15:23 localhost kernel: SELinux:  Context system_u:object_r:svirt_image_t:s0:c208,c973 is not valid (left unmapped).

Comment 2 Kenton Groombridge gentoo-dev

2022-04-22 14:12:07 UTC

This is because the default behavior of libvirtd on SELinux-enabled systems is to generate a dynamic label for the VM and its files. Unfortunately it does this by assuming that MCS/MLS is enabled, which is causing the "context is not valid" errors on the strict policy.

You have 2 solutions here that I know of:

1) Switch to the MCS or MLS policy types. I personally recommend using MCS and setting USE=-unconfined if you are used to the strict policy type.

2) Edit the VM's domain XML in virt-manager and add these elements to it:

<seclabel type='static' model='selinux'>
  <label>system_u:system_r:svirt_t:s0</label>
  <imagelabel>system_u:system_r:svirt_image_t:s0</imagelabel>
</seclabel>

This will force a static confined label to the VM and its images but without MCS categories.

Comment 3 Kenton Groombridge gentoo-dev

2022-05-12 14:54:05 UTC

> 2) Edit the VM's domain XML in virt-manager and add these elements to it:
> 
> <seclabel type='static' model='selinux'>
>   <label>system_u:system_r:svirt_t:s0</label>
>   <imagelabel>system_u:system_r:svirt_image_t:s0</imagelabel>
> </seclabel>
> 

Correction: leave off the s0 in the <imagelabel> field. I forgot this is unused on the strict policy. It should look like:

<seclabel type='static' model='selinux'>
  <label>system_u:system_r:svirt_t</label>
  <imagelabel>system_u:system_r:svirt_image_t</imagelabel>
</seclabel>

Comment 4 Kenton Groombridge gentoo-dev

2022-09-17 19:57:46 UTC

I've added a note on the SELinux installation wiki page as well as a troubleshooting note on the QEMU wiki page to hopefully better highlight this. Ultimately this is not a bug but a configuration issue.

https://wiki.gentoo.org/wiki/SELinux/Installation#Choosing_a_SELinux_policy_type
https://wiki.gentoo.org/wiki/QEMU#Invalid_context_errors_on_SELinux_systems