Opennebula and SElinux

vholer · August 15, 2019, 2:22pm

Policy doesn’t allow access to files with SELinux type var_lib_t which are actually symlinks.

One option is to relabel the datastores directories to more suitable virt_image_t, e.g.:

semanage fcontext -a -t virt_image_t '/var/lib/one/datastores(/.*)?'
restorecon -Rv /var/lib/one/datastores/

In your case, this won’t be probably enough, so you should do the same also for the custom location you are symlinking to.

The other option is to make a custom module, which allows reading var_lib_t even if they are symlinks. For example:

# cat <<EOF >opennebula.te
module opennebula 1.0;

require {
	type svirt_t;
	type var_lib_t;
	class lnk_file read;
}

#============= svirt_t ==============

#!!!! WARNING: 'var_lib_t' is a base type.
allow svirt_t var_lib_t:lnk_file read;
EOF

# checkmodule -M -m -o opennebula.mod opennebula.te
# semodule_package -o opennebula.pp -m opennebula.mod
# semodule -i opennebula.pp

Best regards,
Vlastimil

Topic		Replies	Views
[Solved] OpenNebula 5.0.1 - Migrate Failed Community Support	4	1912	July 20, 2016
Opennebula 4.12.1 KVM DEPLOY FAILURE Community Support	2	1935	May 15, 2015
New LCM state is BOOT_FAILURE Community Support	3	2907	August 13, 2017
Error when initiating a Virtual Machine Community Support	0	371	November 15, 2020
Live Migration Fails on Opennebula 5.0 Community Support	1	1072	April 30, 2018

Opennebula and SElinux

Related Topics