search for: svirt_image_t

...s SELinux context which inaccessible from context of smartd process. [root at srv-1.home ~]# ls -laZ /dev/sd{a..f} brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sda brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/sdb brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdc brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdd brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sde brw-rw----. qemu qemu system_u:object_r:svirt_image_t:s0:c281,c675 /dev/sdf [root at srv-1.home ~]# ps axwZ | grep smart[d]...

Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote: >> Hi, >> > >> I've met two situations with NVDIMM support in libvirt where I'm not >> sure all the parties (libvirt & I) do the things correctly. >> >> The first problem is with memory alignment and size changes. In

...eps followed to create this scenario : Started two VMs with following security configurations: vm1: <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c219,c564</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c219,c564</imagelabel> </seclabel> vm2 : <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c122,c658</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c122,c658</imagelabel&g...

...hen starting a VM with an NVDIMM device in devdax mode: type=AVC msg=audit(1594144691.758:913): avc: denied { map } for pid=21659 comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs" ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981 tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file permissive=0 type=AVC msg=audit(1594144691.758:914): avc: denied { map } for pid=21659 comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs" ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981 tcontext=system_u:object_r:svirt_image_t:...

...sage > that selinux is blocking virtmanager from reading the new image. This > doesn't seem to be doing any harm, but I wanted to check whether I should > simply run chcon on the image (if I can). > > Virtmanager show up as usr_t, as do my other vm images, but the new one is > svirt_image_t. > > The selinux error says it denied a read access to virtmanager but that it > is not expected that the access is required. > > I tried running restorecon as root, as suggested by the selinux error, but > I'm getting a permission-denied error there. (It tries to set the cont...

...n is that as soon as the vm starts, ownership and context of /dev/ttyS0 on the host are being reset. Why is that, and how can I prevent it from happening? Should be: crw-rw----. root dialout system_u:object_r:tty_device_t:s0 /dev/ttyS0 Changes to: crw-rw----. qemu qemu unconfined_u:object_r:svirt_image_t:s0:c9,c796 /dev/ttyS0

...perating system for my virtual machines from CD images and I would like for libvirtd to stop relabeling the corresponding files.  Since the installation media is no big secret, I have labeled the files with system_u:object_r:public_content_t:s0, but libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0.  It also changes the ownership to qemu:qemu.  This means that I can not make the files immutable (chattr +i). The XML dump of the machine looks like this :     <disk type='file' device='cdrom'>         <driver name='qemu' type='raw'/>         <so...

...;0x00' slot='0x06' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c299,c322</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c299,c322</imagelabel> </seclabel> </domain> virsh # A substantially identical clone of the prototype. This guest has had no additional storage added to it. virsh # dumpxml sshpipe.harte-lyne.ca <domain type='kvm' id='19'> <name>sshpipe.harte...

...#39;0x00' slot='0x06' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c665,c969</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c665,c969</imagelabel> </seclabel> </domain>

...paration between the shared folders belonging to different VMs running with sVirt's SELinux dynamic labels? I want to create a permanent exception for VM 'A' to only be able to read and write to shared folder 'A' and the same for VM 'B' and shared folder 'B' svirt_image_t permits access to a shared folder but for all VMs.

...e been getting a slew of message that selinux is blocking virtmanager from reading the new image. This doesn't seem to be doing any harm, but I wanted to check whether I should simply run chcon on the image (if I can). Virtmanager show up as usr_t, as do my other vm images, but the new one is svirt_image_t. The selinux error says it denied a read access to virtmanager but that it is not expected that the access is required. I tried running restorecon as root, as suggested by the selinux error, but I'm getting a permission-denied error there. (It tries to set the context to usr_t) Thanks in adv...

...my virtual machines from CD > images and I would like for libvirtd to stop relabeling the > corresponding files. Since the installation media is no big secret, I > have labeled the files with system_u:object_r:public_content_t:s0, but > libvirtd keeps changing them to system_u:object_r:svirt_image_t:s0. It > also changes the ownership to qemu:qemu. This means that I can not make > the files immutable (chattr +i). Caveat - this is not something I have tried myself, so try it out, and feel free to post back if it works or doesn't work for your case. > > The XML dump of the m...

On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on

...n='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c370,c413</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c370,c413</imagelabel> </seclabel> </domain> Thanks/Regards. Rajiv.R Project Associate. CARE. MIT Anna University Chennai -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20100...

...9;0x0000' bus='0x00' slot='0x05' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c292,c580</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c292,c580</imagelabel> </seclabel> </domain> ------------ This is my first attempt at snapshots with KVM after migrating from ESXi, so if there's a better method please let me know. Thanks - Trey -------------- next part -------------- An HTML attachment was scrubbed....

...vice in virt-handler (i.e. the super privileged > container) to be further uses in virt-launcher (i.e. the non-privileged > container): https://github.com/kubevirt/kubevirt/pull/3290 In normal host OS deployment, libvirtd runs under virtd_t, and when it spawns QEMU, it will relabel files to svirt_image_t:s0:$MCS, and spawn QEMU as svirt_t:s0:$MCS. My understanding is what in kubevirt, things work differently. Docker (or podman), launch the container as container_t:s0:$MCS. libvirtd *and* QEMU thus both run as container_t:s0:$MCS. ie All the labelling is setup when the container is launched and l...

...9;0x0000' bus='0x00' slot='0x05' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c292,c580</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c292,c580</imagelabel> </seclabel> </domain> ------------ This is my first attempt at snapshots with KVM after migrating from ESXi, so if there's a better method please let me know. Thanks - Trey -------------- next part -------------- An HTML attachment was scrubbed....

...n='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c370,c413</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c370,c413</imagelabel> </seclabel> </domain> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20100719/f7dcba3e/attachment.htm>

...;0x00' slot='0x05' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c699,c952</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c699,c952</imagelabel> </seclabel> </domain> How may I add this controller ( before adding the channel device) ? Thanks for help. Regards, Jean-Pierre RIBEAUVILLE +33 1 4717 2049 [axway_logo_tagline_87px]

...t='0x06' > function='0x0'/> > </memballoon> > </devices> > <seclabel type='dynamic' model='selinux' relabel='yes'> > <label>system_u:system_r:svirt_t:s0:c665,c969</label> > <imagelabel>system_u:object_r:svirt_image_t:s0:c665,c969</imagelabel> > </seclabel> > </domain>