search for: seclabel

...ecture: x86_64 ubuntu16.04-server hypervisor: kvm,qemu When migrate vm, I encounter error: "Migrate VM virt21 failed unsupported configuration: Unable to find security driver for model apparmor" but two host are same environment.before this error, migrate can be success. the source host seclabel configure is this : <seclabel type='dynamic' model='apparmor' relabel='yes'> <label>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</label> <imagelabel>libvirt-8e4ec209-17ca-4b59-abb7-72f3984244f3</imagelabel> </seclabel> I create a...

...is run as a non-root user (typically qemu.qemu). This causes various problems, for example if we try to open a file which is readable by root but unreadable by qemu.qemu then the operation will fail. This can be changed globally via a configuration file, but it can also be changed by using a <seclabel/> clause in the XML (although I think that's not the only effect): <seclabel type="static" model="dac" relabel="no"> <label>0:0</label> </seclabel> This patch makes that change. I notice that after this change, qemu is indeed r...

..., the line numbers for the source > code in the source tree that my Gentoo system is building from does not > match exactly what you listed. > > Line #442 for me is the one containing the "STREQ" macro: > > virObjectLock(mgr); > > for (i = 0; i < vm->nseclabels; i++) { > for (j = 0; sec_managers[j]; j++) > if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name)) > break; > > > I can rebuild with "-O0" and try again. If I can still trigger the crash, > the backtrace mig...

...running as root, libvirt would always run qemu as a non-root user (eg. qemu.qemu), unless you modify a global configuration file (/etc/libvirt/qemu.conf). It turns out there is a little-known feature to make libvirt run qemu as root without modifying any configuration files. We have to add a <seclabel/> element to the appliance XML: <seclabel type='static' model='dac' relabel='no'> <label>root:root</label> </seclabel> For further information see: https://libvirt.org/formatdomain.html#seclabel This change adds the required <secla...

...hine looks like this :     <disk type='file' device='cdrom'>         <driver name='qemu' type='raw'/>         <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'>             <seclabel relabel='no'/>         </source>         <target dev='hdc' bus='ide'/>         <readonly/>         <shareable/>         <address type='drive' controller='0' bus='1' target='0' unit='0'/>     </disk&g...

..., Jan 13, 2016 at 04:25:14PM +0100, Martin Kletzander wrote: > For each of the kernels, libvirt labels them (with both DAC and selinux > labels), then proceeds to launching qemu. If this is done parallel, the > race is pretty obvious. Could you remind me why you couldn't use > <seclabel model='none'/> or <seclabel relabel='no'/> or something that > would mitigate this? We value having sVirt :-) However I'm just about to rerun the tests with <seclabel type='none'/> to see if the problem goes away. Will let you know tomorrow once they...

hi all, i am new to the libvirt. Via libvirt i am converting my xen.com.sfg. In xen i added xsm label as, seclabel:system_u:domU_t. but after creating vm using xen or by convertdom-to-xml also does not contain any label or text with xen-4.2.1. in the documentation also you mentioned selinux label (sVirt) only. Can u clear me the following things: 1. How to use XSM label in libvirt.? 2. What are the procedure...

...t; > <disk type='file' device='cdrom'> > <driver name='qemu' type='raw'/> > <source file='/mnt/extra/Software/Linux/Fedora/Fedora-Live-Desktop-x86_64-19/Fedora-Live-Desktop-x86_64-19-1.iso'> > <seclabel relabel='no'/> Hmm, the documentation at http://libvirt.org/formatdomain.html#seclabel is a bit stale; the last paragraph mentions that you can apply per-<disk> seclabel overrides, but fails to mention that model='...' is valid in that XML. Since you already know what lab...

...etSocketNewConnectUNIX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label: <seclabel type='static' model='selinux' relabel='no'> <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> </seclabel> or: <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_lxc...

On 06/10/2013 01:41 PM, pr.G wrote: > On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов wrote: >> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote: >>> On 06/09/2013 08:14 PM, pr.G wrote: >>>> Hello. >>>> >>>> Is it possible to start container via libvirt_lxc without mounting /sys >>>> inside container?

On Mon, Jul 15, 2013 at 3:18 AM, Michal Privoznik <mprivozn@redhat.com>wrote: > > Interesting. If you are still able to reproduce the crash, can you try to > get the line number within virSecurityManagerGenLabel where the crash > happened? I think it's the STREQ line (440 linenr). Question is whether > model or name is NULL. > > I'll try. I'm not sure why

...o: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: libvirt-users <libvirt-users@redhat.com> > Sent: Monday, August 19, 2013 11:24 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > So maybe this would do it: > > <source file=...> >   <seclabel model='selinux' relabel='no'/> >   <seclabel model='dac' relabel='no'/> > </source> I've just tried it and the SELinux label is not changed anymore, but the ownership is still changed to qemu:qemu. > I'm also not sure why you think t...

...; Cc: libvirt-users <libvirt-users@redhat.com> >>> Sent: Monday, August 19, 2013 11:24 PM >>> Subject: Re: [libvirt-users] Stop the relabeling of CD images >> >>> So maybe this would do it: >>> >>> <source file=...> >>>     <seclabel model='selinux' relabel='no'/> >>>     <seclabel model='dac' relabel='no'/> >>> </source> >> >> I've just tried it and the SELinux label is not changed anymore, but >> the ownership is still changed to qemu:qemu....

...time and, apparently, didn't get to a conclusion. > > For each of the kernels, libvirt labels them (with both DAC and selinux > labels), then proceeds to launching qemu. If this is done parallel, the > race is pretty obvious. Could you remind me why you couldn't use > <seclabel model='none'/> or <seclabel relabel='no'/> or something that > would mitigate this? If we cannot use this, then we need to implement > the <seclabel/> element for kernel and initrd. Hmm, can't we just label kernel and initrd files the same way we label &lt...

...by name, mountinfo shows the name of the subvolume. When mounting a subvolume using subvolid it does not. Seems like a problem when trying to determine what is mounted. -o subvol=<name> # cat /proc/self/mountinfo | grep vda 43 34 0:29 /home /home rw,relatime shared:29 - btrfs /dev/vda1 rw,seclabel,space_cache 44 34 0:29 /boot /boot rw,relatime shared:30 - btrfs /dev/vda1 rw,seclabel,space_cache -o subvolid=<number> #cat /proc/self/mountinfo 43 34 0:29 / /home rw,relatime shared:29 - btrfs /dev/vda1 rw,seclabel,space_cache 44 34 0:29 / /boot rw,relatime shared:30 - btrfs /dev/vda1 rw...

Link to version 1: https://www.redhat.com/archives/libguestfs/2013-February/thread.html#00122 Changes since version 1: - I've pushed two (of the three) code refactoring patches. The third one proved rather hard to move. - selinuxnorelabel option is no more. Instead there is a second internal API (internal_set_libvirt_selinux_norelabel_disks). - fixed bogus commit message -

...ou have libvirtd configured to do relabelling > at all ? I'd be expecting it to have security_driver=none in the qemu.conf > file so that libvirtd doesn't do anything. > I checked the dumpxml of the virt-launcher pod (that runs the qemu in kubevirt) - it has dynamic policy. <seclabel type='dynamic' model='dac' relabel='yes'> <label>+107:+107</label> <imagelabel>+107:+107</imagelabel> </seclabel> Are you saying this a wrong configuration for a kubevirt vmi? > > If libvirtd is doing relabelling, I'm no...

HI! Disclaimer: I'm a libvirt beginner using it for managing virtual machines based on qemu-kvm. Is there any documentation describing how to harden libvirt/qemu-kvm installations? Escpecially how to improve isolation of VMs: - secure time sync (with or without ntpd?) - random number generation - running VMs as different host OS users I do not need general OS hardening advice. Ciao,

...IX:566 : Failed to connect socket to '/var/run/libvirt/lxc/cntr1.sock': Connection refused > > I configure the followings secmodel definition and used chcon on the rootfs directory (created with yum) with "system_u:object_r:svirt_lxc_file_t:s0:c30,c50" label: > > <seclabel type='static' model='selinux' relabel='no'> > <label>system_u:system_r:svirt_lxc_net_t:s0:c30,c50</label> > </seclabel> > > or: > > <seclabel type='dynamic' model='selinux' relabel='yes'> > <l...

As people may know, we frequently encounter errors caused by libvirt when running the libguestfs appliance. I wanted to find out exactly how frequently these happen and classify the errors, so I ran the 'virt-df' tool overnight 1700 times. This tool runs several parallel qemu:///session libvirt connections both creating a short-lived appliance guest. Note that I have added Cole's