search for: seclabels

libvirt version: 3.4.0 architecture: x86_64 ubuntu16.04-server hypervisor: kvm,qemu When migrate vm, I encounter error: "Migrate VM virt21 failed unsupported configuration: Unable to find security driver for model apparmor" but two host are same environment.before this error, migrate can be success. the source host seclabel configure is this : <seclabel type='dynamic'

libvirt doesn't have a concept of "session qemu" for root: https://bugzilla.redhat.com/show_bug.cgi?id=890291 When a libguestfs-using process runs as root, and libvirt runs a qemu subprocess, the qemu subprocess is run as a non-root user (typically qemu.qemu). This causes various problems, for example if we try to open a file which is readable by root but unreadable by qemu.qemu

..., the line numbers for the source > code in the source tree that my Gentoo system is building from does not > match exactly what you listed. > > Line #442 for me is the one containing the "STREQ" macro: > > virObjectLock(mgr); > > for (i = 0; i < vm->nseclabels; i++) { > for (j = 0; sec_managers[j]; j++) > if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name)) > break; > > > I can rebuild with "-O0" and try again. If I can still trigger the crash, > the backtrace migh...

Previously we had assumed that when running as root, libvirt would always run qemu as a non-root user (eg. qemu.qemu), unless you modify a global configuration file (/etc/libvirt/qemu.conf). It turns out there is a little-known feature to make libvirt run qemu as root without modifying any configuration files. We have to add a <seclabel/> element to the appliance XML: <seclabel

Hi, I'm installing the operating system for my virtual machines from CD images and I would like for libvirtd to stop relabeling the corresponding files.  Since the installation media is no big secret, I have labeled the files with system_u:object_r:public_content_t:s0, but libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0.  It also changes the ownership to qemu:qemu.  This

On Wed, Jan 13, 2016 at 04:25:14PM +0100, Martin Kletzander wrote: > For each of the kernels, libvirt labels them (with both DAC and selinux > labels), then proceeds to launching qemu. If this is done parallel, the > race is pretty obvious. Could you remind me why you couldn't use > <seclabel model='none'/> or <seclabel relabel='no'/> or something that

hi all, i am new to the libvirt. Via libvirt i am converting my xen.com.sfg. In xen i added xsm label as, seclabel:system_u:domU_t. but after creating vm using xen or by convertdom-to-xml also does not contain any label or text with xen-4.2.1. in the documentation also you mentioned selinux label (sVirt) only. Can u clear me the following things: 1. How to use XSM label in libvirt.? 2. What

On 08/19/2013 01:51 PM, Cristian Ciupitu wrote: > Hi, > > I'm installing the operating system for my virtual machines from CD > images and I would like for libvirtd to stop relabeling the > corresponding files. Since the installation media is no big secret, I > have labeled the files with system_u:object_r:public_content_t:s0, but > libvirtd keeps changing them to

Hello list, my name is Matteo, i'm new on that list. I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS. I try the secmodel type dynamic and static in

On 06/10/2013 01:41 PM, pr.G wrote: > On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов wrote: >> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote: >>> On 06/09/2013 08:14 PM, pr.G wrote: >>>> Hello. >>>> >>>> Is it possible to start container via libvirt_lxc without mounting /sys >>>> inside container?

On Mon, Jul 15, 2013 at 3:18 AM, Michal Privoznik <mprivozn@redhat.com>wrote: > > Interesting. If you are still able to reproduce the crash, can you try to > get the line number within virSecurityManagerGenLabel where the crash > happened? I think it's the STREQ line (440 linenr). Question is whether > model or name is NULL. > > I'll try. I'm not sure why

----- Original Message ----- > From: Eric Blake <eblake@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: libvirt-users <libvirt-users@redhat.com> > Sent: Monday, August 19, 2013 11:24 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > So maybe this would do it: > > <source file=...> >   <seclabel

----- Original Message ----- > From: Martin Kletzander <mkletzan@redhat.com> > To: Cristian Ciupitu <cristian.ciupitu@yahoo.com> > Cc: Eric Blake <eblake@redhat.com>; libvirt-users <libvirt-users@redhat.com> > Sent: Tuesday, August 20, 2013 6:05 PM > Subject: Re: [libvirt-users] Stop the relabeling of CD images > > On 08/20/2013 04:19 AM, Cristian

On Wed, Jan 13, 2016 at 16:25:14 +0100, Martin Kletzander wrote: > On Wed, Jan 13, 2016 at 10:18:42AM +0000, Richard W.M. Jones wrote: > >As people may know, we frequently encounter errors caused by libvirt > >when running the libguestfs appliance. > > > >I wanted to find out exactly how frequently these happen and classify > >the errors, so I ran the

When mounting a subvolume by name, mountinfo shows the name of the subvolume. When mounting a subvolume using subvolid it does not. Seems like a problem when trying to determine what is mounted. -o subvol=<name> # cat /proc/self/mountinfo | grep vda 43 34 0:29 /home /home rw,relatime shared:29 - btrfs /dev/vda1 rw,seclabel,space_cache 44 34 0:29 /boot /boot rw,relatime shared:30 - btrfs

Link to version 1: https://www.redhat.com/archives/libguestfs/2013-February/thread.html#00122 Changes since version 1: - I've pushed two (of the three) code refactoring patches. The third one proved rather hard to move. - selinuxnorelabel option is no more. Instead there is a second internal API (internal_set_libvirt_selinux_norelabel_disks). - fixed bogus commit message -

On Tue, Jul 14, 2020 at 6:03 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 04:02:17PM +0300, Ram Lavi wrote: > > On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> > > wrote: > > > > > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > > > Hello all, > > > > > >

HI! Disclaimer: I'm a libvirt beginner using it for managing virtual machines based on qemu-kvm. Is there any documentation describing how to harden libvirt/qemu-kvm installations? Escpecially how to improve isolation of VMs: - secure time sync (with or without ntpd?) - random number generation - running VMs as different host OS users I do not need general OS hardening advice. Ciao,

On Thu, Oct 31, 2013 at 04:32:45PM +0100, Matteo Piccinini wrote: > Hello list, > > my name is Matteo, i'm new on that list. > I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. > Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I

As people may know, we frequently encounter errors caused by libvirt when running the libguestfs appliance. I wanted to find out exactly how frequently these happen and classify the errors, so I ran the 'virt-df' tool overnight 1700 times. This tool runs several parallel qemu:///session libvirt connections both creating a short-lived appliance guest. Note that I have added Cole's