LXC + SELINUX on Fedora 21 Server

asked 2015-01-04 13:43:32 -0500

Creuzo gravatar image

updated 2015-01-04 15:34:26 -0500

mether gravatar image

Hi, first I apologize for the long post.

I installed Fedora 21 Server and started played with containers. I am able to run it with Selinux disabled just fine. So, to enable selinux I follow the instructions on the beginning of /usr/share/lxc/selinux/lxc.te file. Basically:

make -f /usr/share/selinux/devel/Makefile lxc.pp semodule -i lxc.pp

add the line below to the container config: lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228

and run: chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs

Followed the instructions and was able to successfully compile this selinux module. The problem is that it is not enough for the container to run. I've got the following errors:

type=AVC msg=audit(1420397413.560:1637): avc:  denied  { mount } for  pid=3515 comm="systemd" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1420397413.560:1638): avc:  denied  { write } for  pid=3515 comm="systemd" name="mula.286a4d33bf3ca55f" dev="devtmpfs" ino=5266207 scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=unconfined_u:object_r:device_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1420397413.560:1639): avc:  denied  { add_name } for  pid=3515 comm="systemd" name="shm" scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=unconfined_u:object_r:device_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1420397413.560:1640): avc:  denied  { create } for  pid=3515 comm="systemd" name="shm" scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1420397413.560:1641): avc:  denied  { mounton } for  pid=3515 comm="systemd" path="/dev/shm" dev="devtmpfs" ino=5281474 scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:device_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1420397413.560:1642): avc:  denied  { mounton } for  pid=3515 comm="systemd" path="/sys/fs/cgroup" dev="sysfs" ino=3 scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1420397413.561:1643): avc:  denied  { mount } for  pid=3515 comm="systemd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1420397413.561:1644): avc:  denied  { create } for  pid=3515 comm="systemd" name="core" scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1420397413.564:1645): avc:  denied  { remount } for  pid=3515 comm="systemd" scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1420397413.565:1646): avc:  denied  { sys_resource } for  pid=3515 comm="systemd" capability=24  scontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tcontext=system_u:system_r:lxc_t:s0:c62,c86,c150,c228 tclass=capability permissive=1 ...
(more)
edit retag flag offensive close merge delete