Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
HeroFromEarth2016-12-19 15:17:53
linux
HeroFromEarth, 2016-12-19 15:17:53

How to create unix-channel in 'connect' source mode with SELinux enabled?

I have a domain on CentOS 6 with the following configuration:

.........................................................
<channel type='unix'>
  <source mode='bind' path='/var/lib/libvirt/qemu/vport0'/>
  <target type='virtio' name='vport0'/>
  <address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='unix'>
  <source mode='connect' path='/var/lib/libvirt/qemu/vport0'/>
  <target type='virtio' name='vport0'/>
  <address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
.........................................................

After running it with SELinux enabled, I see the following error:
error: Failed to start domain proxy-agent0
error: unable to set security context 'system_u:object_r:svirt_image_t:s0:c269,c347' on '/var/lib/libvirt/qemu/vport0': No such file or directory

With SELinux disabled, the problem is not observed, the domain starts without errors.
How to solve the problem besides disabling SELinux? Is there a way to force the creation of a virtual port right after reading an item in the config?
Let me emphasize one point: there are no errors when configuring with a channel only with source mode='bind'.
# ausearch -r -m VIRT_CONTROL -ts today
type=VIRT_CONTROL msg=audit(1482305847.172:2201): user pid=2430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start reason=booted vm="proxy-agent0" uuid=62bb1bc5-4e17-f67b-22a4-c14a487547e8 vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
H
HeroFromEarth, 2017-02-06
@HeroFromEarth

The answer to the question has been found.
In the domain config, you need to write the line:
At the same time, SELinux on the hypervisor does not check any files related to the domain, but the domain itself starts.

Report
D
Dmitry Aitkulov, 2016-12-20
@Scarfase1989

look here

Similar questions
E
eight_bit2019-10-21 11:41:25
Laptop freezes on reboot after installing additional SSD, how to diagnose? 1Reply
#
#2019-08-24 20:49:53
There is a host on Linux, there are virtual machines, access to the Internet via PPPoE, without a router! the host does not see the virtual machine, how to solve it with minimal means? 2Reply
A
andrey69rus2015-03-24 00:38:15
Can you help me find a distributor? 3Reply
Z
zeuss562017-03-27 21:39:07
What is the best SD card for Live Boot and HDD replacement? 1Reply
A
account-52017-03-27 23:58:12
How to use VPS as ssh tunnel? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question