Summary: | app-emulation/virt-manager: can't start VM, reporting MLS related error, in system using Strict SELINUXTYPE | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | labyrithfind <jacksonhub2> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | RESOLVED WORKSFORME | ||
Severity: | major | CC: | gentoo, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
labyrithfind
2022-04-22 11:49:03 UTC
These are the tried to start several times in less then 10 seconds. Obviously the MLS category info is completely random: Apr 22 12:15:15 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c48,c571 is not valid (left unmapped). Apr 22 12:15:16 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c622,c686 is not valid (left unmapped). Apr 22 12:15:17 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c686,c767 is not valid (left unmapped). Apr 22 12:15:18 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c566,c860 is not valid (left unmapped). Apr 22 12:15:19 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c660,c758 is not valid (left unmapped). Apr 22 12:15:19 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c339,c937 is not valid (left unmapped). Apr 22 12:15:20 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c574,c748 is not valid (left unmapped). Apr 22 12:15:21 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c861,c925 is not valid (left unmapped). Apr 22 12:15:22 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c24,c954 is not valid (left unmapped). Apr 22 12:15:23 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c193,c829 is not valid (left unmapped). Apr 22 12:15:23 localhost kernel: SELinux: Context system_u:object_r:svirt_image_t:s0:c208,c973 is not valid (left unmapped). This is because the default behavior of libvirtd on SELinux-enabled systems is to generate a dynamic label for the VM and its files. Unfortunately it does this by assuming that MCS/MLS is enabled, which is causing the "context is not valid" errors on the strict policy. You have 2 solutions here that I know of: 1) Switch to the MCS or MLS policy types. I personally recommend using MCS and setting USE=-unconfined if you are used to the strict policy type. 2) Edit the VM's domain XML in virt-manager and add these elements to it: <seclabel type='static' model='selinux'> <label>system_u:system_r:svirt_t:s0</label> <imagelabel>system_u:system_r:svirt_image_t:s0</imagelabel> </seclabel> This will force a static confined label to the VM and its images but without MCS categories. > 2) Edit the VM's domain XML in virt-manager and add these elements to it:
>
> <seclabel type='static' model='selinux'>
> <label>system_u:system_r:svirt_t:s0</label>
> <imagelabel>system_u:system_r:svirt_image_t:s0</imagelabel>
> </seclabel>
>
Correction: leave off the s0 in the <imagelabel> field. I forgot this is unused on the strict policy. It should look like:
<seclabel type='static' model='selinux'>
<label>system_u:system_r:svirt_t</label>
<imagelabel>system_u:system_r:svirt_image_t</imagelabel>
</seclabel>
I've added a note on the SELinux installation wiki page as well as a troubleshooting note on the QEMU wiki page to hopefully better highlight this. Ultimately this is not a bug but a configuration issue. https://wiki.gentoo.org/wiki/SELinux/Installation#Choosing_a_SELinux_policy_type https://wiki.gentoo.org/wiki/QEMU#Invalid_context_errors_on_SELinux_systems |