Enable SELinux on KVM Guest

asked 2018-12-20 11:52:37 -0500

mk gravatar image

I am trying out an Openstack KVM based cloud provisioning service. I'm using a Ubuntu image, but I removed the nova.cloud prefix from the source repositories (apparently these are specifically for Openstack guests) as the software available was too limited; I then updated, upgraded, rebooted.

I've then tried to enable SELinux via the distro mechanisms, which put security=selinux onto the kernel param line in grub.conf, set mode in /etc/selinux/config to "Permissive", etc. However, upon reboot sestatus reports disabled and no SELinux tools work.

Based on that, I'm wondering:

  1. Can it be made impossible for SELinux to run in an Openstack KVM guest? I would think no, but...
  2. Is there anything special that needs to be done, such that the normal configuration and such won't work? This seems a more likely explanation especially since I changed to the normal (non openstack oriented) repos.

I would rather switch platform (either the distro, or the hypervisor) than get stuck with the nova.cloud repositories. However, if I can make the current context work, I am willing to put in a little effort. But SELinux is a requirement.

edit retag flag offensive close merge delete


I can confirm that SELinux works in a KVM VM. There should be nothing in Nova that disables this. However, I don’t know whether the image you used includes SELinux in the kernel.

What happens if you try to manually enable it with setenforce? Any errors in the system log or kernel message buffer?

Bernd Bausch gravatar imageBernd Bausch ( 2018-12-20 15:59:13 -0500 )edit

Did you try a Centos image?

Admittedly, I don’t know what is “nova.cloud”.

Bernd Bausch gravatar imageBernd Bausch ( 2018-12-20 16:00:21 -0500 )edit

@Bernd I tried Debian and Ubuntu. Centos can't be restricted by the "nova.cloud" repos, so it might be a better bet. Yes, the kernel was SELinux enabled. setenforce just didn't work.

mk gravatar imagemk ( 2018-12-22 04:48:12 -0500 )edit

Sadly the provider answered my first email with "We don't know if it is possible to use SELinux...". Since then I've tried a few other KVM based providers, done my exact same routine w/ configuration and provisioning, and SELinux works normally. Wanted to make sure this isn't an openstack oddity.

mk gravatar imagemk ( 2018-12-22 04:50:14 -0500 )edit

I just tried it: Downloaded a Centos cloud image, added it to my OpenStack cloud, launched an instance, and SELinux runs in enforcing mode by default.

Anything else would have surprised me. I wonder what kind of images your provider has in its catalogue.

Bernd Bausch gravatar imageBernd Bausch ( 2018-12-22 08:55:28 -0500 )edit

2 answers

Sort by » oldest newest most voted

answered 2019-01-01 20:28:14 -0500

zaneb gravatar image

Fedora and CentOS both include SELinux by default and would certainly be an easier choice.

Ubuntu's default choice of MAC is AppArmor, not SELinux. The Debian wiki has instructions for setting it up that should work on Ubuntu, but it's far more likely that something has gone wrong with this process than anything to do with OpenStack. SELinux is a kernel feature that has nothing to do with the hypervisor, although as you've noted it may rely on the bootloader setting it up correctly.

I assume you're using a Cinder volume and not ephemeral storage (although IIUC even with ephemeral storage the changes to the bootloader should survive a reboot).

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2018-12-20 11:52:37 -0500

Seen: 110 times

Last updated: Jan 01 '19