We have a machine which hosts a number of virtualization guests using libvirt and kvm. Each storage device that is presented to the guests is stored on the host as an individual logical volume -- each guest gets one or more of the host's logical volumes to use as storage.
How do I make this setup work with SELinux? The RedHat documents only address using file-backed storage volumes.
SELinux context for VM guests using LVM volumes
Re: SELinux context for VM guests using LVM volumes
So are you presenting blocks or files?
Re: SELinux context for VM guests using LVM volumes
My guest's LVM disks just have standard selinux contexts and I get no complaints from my VMs.
Though thinking about it I don't use those directly, my VMs use /dev/drbdX which uses the LV as a backing device. The context on the DRBD device looks like
But I didn't have to set that - it was set automatically by something.
Code: Select all
lrwxrwxrwx. root root system_u:object_r:device_t:s0 testvm -> ../dm-3
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-3
Code: Select all
brw-rw----. root disk system_u:object_r:svirt_image_t:s0:c66,c143 /dev/drbd2
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: SELinux context for VM guests using LVM volumes
blocksaks wrote:So are you presenting blocks or files?
Re: SELinux context for VM guests using LVM volumes
I present blocks to my CentOS VMs and have SELinux running, with no problems whatsoever. After all you're just presenting raw storage, it's up to the VM what gets written there.
Is that what you're asking?
Is that what you're asking?
Re: SELinux context for VM guests using LVM volumes
Not really. The host is running in permissive mode at the moment, and I see messages in the audit log that suggest that SELinux would block the host from presenting the storage to the guest. But maybe I have mis-interpreted the message.aks wrote:I present blocks to my CentOS VMs and have SELinux running, with no problems whatsoever. After all you're just presenting raw storage, it's up to the VM what gets written there.
Is that what you're asking?
Re: SELinux context for VM guests using LVM volumes
Uh.
So you're presenting block storage through something like KVM and you have some messages that suggest SELinux would prevent the presentation?
So two questions:
1) How are you presenting the block storage (FC/iSCSI though hardware or software)?
2) Post the suspect messages.
So you're presenting block storage through something like KVM and you have some messages that suggest SELinux would prevent the presentation?
So two questions:
1) How are you presenting the block storage (FC/iSCSI though hardware or software)?
2) Post the suspect messages.