Displaying 20 results from an estimated 160 matches for "seclabel".
2017 Jul 25
1
About seclabel configure,Migrate error
...ecture: x86_64 ubuntu16.04-server
hypervisor: kvm,qemu
When migrate vm, I encounter error:
"Migrate VM virt21 failed unsupported configuration: Unable to find security driver for model apparmor"
but two host are same environment.before this error, migrate can be success.
the source host seclabel configure is this :
<seclabel type='dynamic' model='apparmor' relabel='yes'>
<label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label>
<imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel>
</seclabel>
I create a...
2018 May 21
2
[PATCH for discussion only] lib: libvirt: If root, run qemu subprocess as root.root.
...is run as a non-root user (typically
qemu.qemu). This causes various problems, for example if we try to
open a file which is readable by root but unreadable by qemu.qemu then
the operation will fail.
This can be changed globally via a configuration file, but it can also
be changed by using a <seclabel/> clause in the XML (although I think
that's not the only effect):
<seclabel type="static" model="dac" relabel="no">
<label>0:0</label>
</seclabel>
This patch makes that change.
I notice that after this change, qemu is indeed r...
2013 Jul 15
1
Re: libvrtd-1.1.0 crashes when attempting to start some (but not all) LXC containers
..., the line numbers for the source
> code in the source tree that my Gentoo system is building from does not
> match exactly what you listed.
>
> Line #442 for me is the one containing the "STREQ" macro:
>
> virObjectLock(mgr);
>
> for (i = 0; i < vm->nseclabels; i++) {
> for (j = 0; sec_managers[j]; j++)
> if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name))
> break;
>
>
> I can rebuild with "-O0" and try again. If I can still trigger the crash,
> the backtrace mig...
2017 Mar 14
1
[PATCH] lib: libvirt: If root, run qemu as root.root.
...running as root, libvirt would
always run qemu as a non-root user (eg. qemu.qemu), unless you modify
a global configuration file (/etc/libvirt/qemu.conf).
It turns out there is a little-known feature to make libvirt run qemu
as root without modifying any configuration files. We have to add a
<seclabel/> element to the appliance XML:
<seclabel type='static' model='dac' relabel='no'>
<label>root:root</label>
</seclabel>
For further information see:
https://libvirt.org/formatdomain.html#seclabel
This change adds the required <secla...
2013 Aug 19
2
Stop the relabeling of CD images
...hine looks like this :
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
<seclabel relabel='no'/>
</source>
<target dev='hdc' bus='ide'/>
<readonly/>
<shareable/>
<address type='drive' controller='0' bus='1' target='0' unit='0'/>
</disk&g...
2016 Jan 13
1
Re: [libvirt] Quantifying libvirt errors in launching the libguestfs appliance
..., Jan 13, 2016 at 04:25:14PM +0100, Martin Kletzander wrote:
> For each of the kernels, libvirt labels them (with both DAC and selinux
> labels), then proceeds to launching qemu. If this is done parallel, the
> race is pretty obvious. Could you remind me why you couldn't use
> <seclabel model='none'/> or <seclabel relabel='no'/> or something that
> would mitigate this?
We value having sVirt :-)
However I'm just about to rerun the tests with <seclabel type='none'/>
to see if the problem goes away. Will let you know tomorrow once they...
2013 Aug 06
1
LIbvirt seclabel.
hi all,
i am new to the libvirt. Via libvirt i am converting my xen.com.sfg.
In xen i added xsm label as, seclabel:system_u:domU_t.
but after creating vm using xen or by convertdom-to-xml also does not
contain any label or text with xen-4.2.1.
in the documentation also you mentioned selinux label (sVirt) only. Can u
clear me the following things:
1. How to use XSM label in libvirt.?
2. What are the procedure...
2013 Aug 19
0
Re: Stop the relabeling of CD images
...t;
> <disk type='file' device='cdrom'>
> <driver name='qemu' type='raw'/>
> <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>
> <seclabel relabel='no'/>
Hmm, the documentation at http://libvirt.org/formatdomain.html#seclabel
is a bit stale; the last paragraph mentions that you can apply
per-<disk> seclabel overrides, but fails to mention that model='...' is
valid in that XML.
Since you already know what lab...
2013 Oct 31
2
libvirt_lxc: SELinux MCS
...etSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused
I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label:
<seclabel type='static' model='selinux' relabel='no'>
<label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
</seclabel>
or:
<seclabel type='dynamic' model='selinux' relabel='yes'>
<label>system_u:system_r:svirt_lxc...
2013 Jun 10
1
Re: libvirt_lxc and sysfs
On 06/10/2013 01:41 PM, pr.G wrote:
> On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов wrote:
>> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote:
>>> On 06/09/2013 08:14 PM, pr.G wrote:
>>>> Hello.
>>>>
>>>> Is it possible to start container via libvirt_lxc without mounting /sys
>>>> inside container?
2013 Jul 15
3
Re: libvrtd-1.1.0 crashes when attempting to start some (but not all) LXC containers
On Mon, Jul 15, 2013 at 3:18 AM, Michal Privoznik <mprivozn@redhat.com>wrote:
>
> Interesting. If you are still able to reproduce the crash, can you try to
> get the line number within virSecurityManagerGenLabel where the crash
> happened? I think it's the STREQ line (440 linenr). Question is whether
> model or name is NULL.
>
>
I'll try.
I'm not sure why
2013 Aug 20
2
Re: Stop the relabeling of CD images
...o: Cristian Ciupitu <cristian.ciupitu@yahoo.com>
> Cc: libvirt-users <libvirt-users@redhat.com>
> Sent: Monday, August 19, 2013 11:24 PM
> Subject: Re: [libvirt-users] Stop the relabeling of CD images
> So maybe this would do it:
>
> <source file=...>
> <seclabel model='selinux' relabel='no'/>
> <seclabel model='dac' relabel='no'/>
> </source>
I've just tried it and the SELinux label is not changed anymore, but the
ownership is still changed to qemu:qemu.
> I'm also not sure why you think t...
2013 Aug 20
1
Re: Stop the relabeling of CD images
...; Cc: libvirt-users <libvirt-users@redhat.com>
>>> Sent: Monday, August 19, 2013 11:24 PM
>>> Subject: Re: [libvirt-users] Stop the relabeling of CD images
>>
>>> So maybe this would do it:
>>>
>>> <source file=...>
>>> <seclabel model='selinux' relabel='no'/>
>>> <seclabel model='dac' relabel='no'/>
>>> </source>
>>
>> I've just tried it and the SELinux label is not changed anymore, but
>> the ownership is still changed to qemu:qemu....
2016 Jan 14
3
Re: [libvirt] Quantifying libvirt errors in launching the libguestfs appliance
...time and, apparently, didn't get to a conclusion.
>
> For each of the kernels, libvirt labels them (with both DAC and selinux
> labels), then proceeds to launching qemu. If this is done parallel, the
> race is pretty obvious. Could you remind me why you couldn't use
> <seclabel model='none'/> or <seclabel relabel='no'/> or something that
> would mitigate this? If we cannot use this, then we need to implement
> the <seclabel/> element for kernel and initrd.
Hmm, can't we just label kernel and initrd files the same way we label
<...
2013 Oct 14
0
mountinfo discrepancy, subvol vs subvolid
...by name, mountinfo shows the name of the subvolume. When mounting a subvolume using subvolid it does not. Seems like a problem when trying to determine what is mounted.
-o subvol=<name>
# cat /proc/self/mountinfo | grep vda
43 34 0:29 /home /home rw,relatime shared:29 - btrfs /dev/vda1 rw,seclabel,space_cache
44 34 0:29 /boot /boot rw,relatime shared:30 - btrfs /dev/vda1 rw,seclabel,space_cache
-o subvolid=<number>
#cat /proc/self/mountinfo
43 34 0:29 / /home rw,relatime shared:29 - btrfs /dev/vda1 rw,seclabel,space_cache
44 34 0:29 / /boot rw,relatime shared:30 - btrfs /dev/vda1 rw...
2013 Feb 28
5
[PATCH v2 0/5] Fix SELinux security contexts so we can access shared disks (RHBZ#912499).
Link to version 1:
https://www.redhat.com/archives/libguestfs/2013-February/thread.html#00122
Changes since version 1:
- I've pushed two (of the three) code refactoring patches. The third
one proved rather hard to move.
- selinuxnorelabel option is no more. Instead there is a second
internal API (internal_set_libvirt_selinux_norelabel_disks).
- fixed bogus commit message
-
2020 Jul 16
1
Re: SELinux labels change in libvirt
...ou have libvirtd configured to do relabelling
> at all ? I'd be expecting it to have security_driver=none in the qemu.conf
> file so that libvirtd doesn't do anything.
>
I checked the dumpxml of the virt-launcher pod (that runs the qemu in
kubevirt) - it has dynamic policy.
<seclabel type='dynamic' model='dac' relabel='yes'>
<label>+107:+107</label>
<imagelabel>+107:+107</imagelabel>
</seclabel>
Are you saying this a wrong configuration for a kubevirt vmi?
>
> If libvirtd is doing relabelling, I'm no...
2016 Oct 20
2
security BPC
HI!
Disclaimer:
I'm a libvirt beginner using it for managing virtual machines based on qemu-kvm.
Is there any documentation describing how to harden libvirt/qemu-kvm installations?
Escpecially how to improve isolation of VMs:
- secure time sync (with or without ntpd?)
- random number generation
- running VMs as different host OS users
I do not need general OS hardening advice.
Ciao,
2013 Oct 31
0
Re: libvirt_lxc: SELinux MCS
...IX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused
>
> I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label:
>
> <seclabel type='static' model='selinux' relabel='no'>
> <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label>
> </seclabel>
>
> or:
>
> <seclabel type='dynamic' model='selinux' relabel='yes'>
> <l...
2016 Jan 13
7
Quantifying libvirt errors in launching the libguestfs appliance
As people may know, we frequently encounter errors caused by libvirt
when running the libguestfs appliance.
I wanted to find out exactly how frequently these happen and classify
the errors, so I ran the 'virt-df' tool overnight 1700 times. This
tool runs several parallel qemu:///session libvirt connections both
creating a short-lived appliance guest.
Note that I have added Cole's