search for: svirt

On 04/03/2013 10:25 AM, yue wrote: > > hi,all > > i know svirt is merged into libvirt upstream, but how to use them? > You had better to ask this kind of question to libvirt-users at redhat.com in the future, it's a user mail listing, you may ask all kind of libvirt usage questions if you want, the following is some reference: https://access.redhat....

...tream libguestfs with default settings, then this does NOT affect you. libvirt isn't required by libguestfs.] >From libguestfs 1.19.41, if you have selected the alternate libvirt method to launch the appliance, ie, if you have done: ./configure --with-default-attach-method=libvirt then sVirt is enabled by default. This is for enhanced security: if a malicious disk image manages to corrupt the appliance *and* take over qemu, then SELinux provides additional confinement of the qemu process, ensuring it cannot read or write arbitrary files or other resources in the host. From Fedora 18,...

?Hi, ?I've installed libvirt-0.9.13 on RHEL6.2 from the source code. I cannot make sVirt working with LXC. (sVirt works well with KVM, though.) I can start an LXC instance, but the label of the process is not right. Can someone help me? I tried to change /etc/libvirtd/lxc.conf file to explicitly enable security_driver = "selinux". But it ends up with error saying "erro...

Anyone have a pointer or some documentation or a how to enable svirt support in RHEL 5.4 using libvirt 6.3 and KVM/QEMU? Thanks Jonathan -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20100330/1e3a2dff/attachment.htm>

Hello! Where I can get maybe a tutorial or smth like this about how to use SELinux with libvirt?

hi,all a qemu-kvm process and its disk(image file) have the same MCS(s0:c111,c555). it express this process have access to this image. i do not know the power to access its image file is the max or min? if any other power this process(domain) has?how much? i want to know the exact power a qemu-kvm process has besides access its image file ,other kinds of files,dirs etc. my test case:

...ttaching the service file, source code and verbose logs from both the successful manual run and from the service journal. SELinix is disabled. Error messages: libguestfs: set_socket_create_context: getcon failed: (none): Invalid argument [you can ignore this message if you are not using SELinux + sVirt] libguestfs: clear_socket_create_context: setsockcreatecon failed: NULL: Invalid argument [you can ignore this message if you are not using SELinux + sVirt] libguestfs: error: chown: /tmp/libguestfsvMMaec/guestfsd.sock: Operation not permitted libguestfs: clear_socket_create_context: setsockcreatec...

I have an older quad-core AMD processor that supports hardware virtualization on a motherboard that does not support it in the bios. Eventually I'll swap the mobo out on this box for one that will support hardware virtualization and use qemu-kvm. I prefer kvm because of SELinux and sVirt that protects the host from VM breakout should a VM become hostile. In the meantime, I want to start work on a web project and want to use this idle machine and CentOS 6.0 in a VM. What I prototype and learn will eventually be moved to the production machine using kvm and sVirt. So...I downloaded...

Hi, I'm just wondering is there any way for me to trigger KVM's -snapshot parameter from libvirt. I don't want to clone a disk etc. I just need a way so that KVM is spawned with a '-snapshot' parameter. Anyone got any ideas? Cheers Chris

...ode and verbose logs from both the > successful manual run and from the service journal. > > SELinix is disabled. > > Error messages: > libguestfs: set_socket_create_context: getcon failed: (none): Invalid > argument [you can ignore this message if you are not using SELinux + sVirt] > libguestfs: clear_socket_create_context: setsockcreatecon failed: NULL: > Invalid argument [you can ignore this message if you are not using SELinux > + sVirt] > libguestfs: error: chown: /tmp/libguestfsvMMaec/guestfsd.sock: Operation > not permitted > libguestfs: clear_socket_...

...;= 0.10.2 is required), the new libvirt attach-method will not work in Debian. See the release notes for what you'll miss out on. Of course the default (appliance) method works fine, and libvirt is not required. Even if newer libvirt and qemu where available in Debian, it seems unlikely that sVirt protection would work. This is partly because of the obvious fact that Debian doesn't use SELinux (by default). But mainly because we have made several changes to the SELinux policy in Fedora to support libguestfs with libvirt and sVirt. Also, although in theory AppArmor could implement sVir...

...on to time out. --- p2v/ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/p2v/ssh.c b/p2v/ssh.c index b432cbd..c6bf306 100644 --- a/p2v/ssh.c +++ b/p2v/ssh.c @@ -490,7 +490,7 @@ test_connection (struct config *config) */ if (mexp_printf (h, "%svirt-v2v --version\n", - config->sudo ? "sudo " : "") == -1) { + config->sudo ? "sudo -n " : "") == -1) { set_ssh_error ("mexp_printf: %m"); mexp_close (h); return -1; -- 2.5.5

...> labels), then proceeds to launching qemu. If this is done parallel, the > race is pretty obvious. Could you remind me why you couldn't use > <seclabel model='none'/> or <seclabel relabel='no'/> or something that > would mitigate this? We value having sVirt :-) However I'm just about to rerun the tests with <seclabel type='none'/> to see if the problem goes away. Will let you know tomorrow once they have run again. > If we cannot use this, then we need to implement > the <seclabel/> element for kernel and initrd. Righ...

Hi there, Do you know if there is a way to modify how libvirt interacts with the cgroup? Because, I successfully add the /dev/net/tun support in my LXC container by doing: echo c 10:200 rwm >> /cgroup/libvirt/lxc/instance-00000005/devices.allow But when I restart the instance/LXC container, this option has gone. How can I make this persistant? Is there a configuration file? Thanks

Here https://libvirt.org/acl.html is stated that you designed this access control system as pluggable. Are there any options ( even with modifying libvirt code) to plug in any custom driver? I just need to take a try and design something that will support remote access control. I am not sure if sVirt is the right thing I should look at. 2018-05-09 11:27 GMT+03:00 Daniel P. Berrangé <berrange@redhat.com>: > On Wed, May 09, 2018 at 11:21:22AM +0300, Anastasiya Ruzhanskaya wrote: > > Ok, excuse me for misunderstanding, how it is possible then to set up > > access control whe...

https://bugzilla.redhat.com/show_bug.cgi?id=912499 (especially comments 7 & 10) This patch set is the final fix so that we can access disks in use by other guests when SELinux and sVirt are enabled. Previously such disks were inaccessible because sVirt labels the disks with a random SELinux label to prevent other instances of qemu from being able to read them. So naturally the libguestfs appliance (ie. qemu) cannot read these disks, not even if it is running as root. The fix is...

...at you designed this access > > control system as pluggable. Are there any options ( even with modifying > > libvirt code) to plug in any custom driver? > > I just need to take a try and design something that will support remote > > access control. > > I am not sure if sVirt is the right thing I should look at. > > It is pluggable in the sense that we can write more backends for it > without having to refactor the rest of libvirt codebase. It isn't > pluggable from POV of an end user wishing to change it - it needs > contribution to libvirt code to...

...all, i am new to the libvirt. Via libvirt i am converting my xen.com.sfg. In xen i added xsm label as, seclabel:system_u:domU_t. but after creating vm using xen or by convertdom-to-xml also does not contain any label or text with xen-4.2.1. in the documentation also you mentioned selinux label (sVirt) only. Can u clear me the following things: 1. How to use XSM label in libvirt.? 2. What are the procedures(syntax and tags) to use for xsm label in xml file.? Regards, cooldharma06

...shot parameter directly via libvirt, for several reasons: 1. it makes qemu use $TMPDIR, and on systems where $TMPDIR defaults to /tmp and where /tmp is not backed by disk, it can easily exhaust space limits in /tmp 2. -snapshot mode makes a guest non-migrateable 3. -snapshot is incompatible with sVirt SELinux labeling, because qemu ends up creating the file, but under sVirt rules, qemu is only allowed to use pre-existing pre-labeled files However, we DO plan on supporting transient disks (which is the underlying operation being provided by -snapshot mode), just by doing the work ourselves inste...

> Hi, libvirt experts, I used libvirt to create a VM and used backing store to a local file. It works fine until I installed my box to Unbuntu Trusty (14.04). I got the following errors when I tried to start the VM: Could not open backing file: Could not open <path to my backing file>: Permission denied However, if I moved my image file (not base image) to default location