search for: svirt_t

...uot;eebbb23 qemu: support URI syntax for NBD"). More detailed output is below, this is all from the host system. What do I miss? Thank you. [root at vpl2 ~]# tail /var/log/messages Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.sepol_context_to_sid: could not convert system_u:system_r:svirt_t:s0:c263,c837 to sid Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: user system_u is not defined Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_record: could not create context structure Apr 8 16:47:48 vpl2 dbus-daemon[2903]: libsepol.context_from_string: cou...

While svirt_t can be used for sockets it does not always guarantee that it will be accessible from a virtual machine. The VM might be running under svirt_tcg_t context which will need a svirt_tcg_t label on the socket in order to access it. There is, however, another label, svirt_socket_t, which is accessible...

...n accepts addition of disk images of other guest running on the host. Steps followed to create this scenario : Started two VMs with following security configurations: vm1: <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c219,c564</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c219,c564</imagelabel> </seclabel> vm2 : <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c122,c658</label>...

Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote: >> Hi, >> > >> I've met two situations with NVDIMM support in libvirt where I'm not >> sure all the parties (libvirt & I) do the things correctly. >> >> The first problem is with memory alignment and size changes. In

...helpful to debug this. The server is CentOS 6 x86_64 updated to CR. This is the raw audit entry, (hostname removed) node=kvmhost.tld type=AVC msg=audit(1318634450.285:28): avc: denied { getattr } for pid=1842 comm="qemu-kvm" name="/" dev=dm-2 ino=2 scontext=system_u:system_r:svirt_t:s0:c772,c779 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem node=kvmhost.tld type=SYSCALL msg=audit(1318634450.285:28): arch=c000003e syscall=138 success=no exit=-13 a0=9 a1=7fff1cf153f0 a2=0 a3=7fff1cf15170 items=0 ppid=1 pid=1842 auid=4294967295 uid=107 gid=107 euid=107 suid=107 fsuid=107 e...

On Mon, May 27, 2019 at 01:30:05PM +0200, Martin Kletzander wrote: > While svirt_t can be used for sockets it does not always guarantee that it will > be accessible from a virtual machine. The VM might be running under svirt_tcg_t > context which will need a svirt_tcg_t label on the socket in order to access it. I don't really know enough about SELinux or the sVirt po...

...till occurs.) audit.log reports the following when starting a VM with an NVDIMM device in devdax mode: type=AVC msg=audit(1594144691.758:913): avc: denied { map } for pid=21659 comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs" ino=1521557 scontext=system_u:system_r:svirt_t:s0:c216,c981 tcontext=system_u:object_r:svirt_image_t:s0:c216,c981 tclass=chr_file permissive=0 type=AVC msg=audit(1594144691.758:914): avc: denied { map } for pid=21659 comm="qemu-kvm" path="/dev/dax0.0" dev="tmpfs" ino=1521557 scontext=system_u:system_r:svirt_t:...

...ing VM Live migration. If I am using QEMU command directly to launch the VM, then any operation on Netlink socket works fine. But, If I am using libvirt to create the VM and attaching the device, then I am getting permission denied error. As I found out that this is related to SElinux, I added the svirt_t context as permissive *"semanage permissive -a svirt_t". *With this, I am not receiving permission denied error, instead i am receiving "operation not permitted" error. I changed the user and group field in libvirtd/qemu.conf to root/root. But still, I am facing the same proble...

...?? ? ? ?<parameter name="PROJMASK" value="255.255.0.0"/> ?? ? ?</filterref> ?? ?</interface> ?? ?<console type="pty"/> ??</devices> </domain> * Svirt works well with KVM as is shown below: $ ps auxZ | grep qemu system_u:system_r:svirt_t:s0:c128,c132 root 22710 6.9 ?0.2 895040 34332 ? ? ? ?Sl ? 11:17 ? 0:07 /usr/libexec/qemu-kvm -name instance-0000001b -S -M pc-0.14 -cpu core2duo,+lahf_lm,+dca,+pdcm,+xtpr,+cx16,+tm2,+est,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds -enable-kvm -m 512 -smp 1,sockets=1,cores=1,threads=1 -uuid 1271...

...o be further uses in virt-launcher (i.e. the non-privileged > > container): https://github.com/kubevirt/kubevirt/pull/3290 > > In normal host OS deployment, libvirtd runs under virtd_t, and when > it spawns QEMU, it will relabel files to svirt_image_t:s0:$MCS, and > spawn QEMU as svirt_t:s0:$MCS. > > My understanding is what in kubevirt, things work differently. Docker > (or podman), launch the container as container_t:s0:$MCS. libvirtd > *and* QEMU thus both run as container_t:s0:$MCS. ie All the labelling > is setup when the container is launched and libvirtd sho...

.../> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c299,c322</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c299,c322</imagelabel> </seclabel> </domain> virsh # A substantially identical clone of the prototype. This guest has had no additional storage added to it. virsh # dumpxml sshpipe.harte-lyne...

.../> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c665,c969</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c665,c969</imagelabel> </seclabel> </domain>

On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on

...alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c370,c413</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c370,c413</imagelabel> </seclabel> </domain> Thanks/Regards. Rajiv.R Project Associate. CARE. MIT Anna University Chennai -------------- next part -------------- An HTML attachment was scrubb...

...ame='balloon0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c292,c580</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c292,c580</imagelabel> </seclabel> </domain> ------------ This is my first attempt at snapshots with KVM after migrating from ESXi, so if there's a better method please let me know. Thank...

...ileged > container) to be further uses in virt-launcher (i.e. the non-privileged > container): https://github.com/kubevirt/kubevirt/pull/3290 In normal host OS deployment, libvirtd runs under virtd_t, and when it spawns QEMU, it will relabel files to svirt_image_t:s0:$MCS, and spawn QEMU as svirt_t:s0:$MCS. My understanding is what in kubevirt, things work differently. Docker (or podman), launch the container as container_t:s0:$MCS. libvirtd *and* QEMU thus both run as container_t:s0:$MCS. ie All the labelling is setup when the container is launched and libvirtd should not do anything. So...

...ame='balloon0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c292,c580</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c292,c580</imagelabel> </seclabel> </domain> ------------ This is my first attempt at snapshots with KVM after migrating from ESXi, so if there's a better method please let me know. Thank...

...alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> </video> </devices> <seclabel type='dynamic' model='selinux'> <label>system_u:system_r:svirt_t:s0:c370,c413</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c370,c413</imagelabel> </seclabel> </domain> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20100...

.../> <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='selinux' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c699,c952</label> <imagelabel>system_u:object_r:svirt_image_t:s0:c699,c952</imagelabel> </seclabel> </domain> How may I add this controller ( before adding the channel device) ? Thanks for help. Regards, Jean-Pierre RIBEAUVILLE +33 1 4717 2049 [axway_lo...

...lt;address type='pci' domain='0x0000' bus='0x00' slot='0x06' > function='0x0'/> > </memballoon> > </devices> > <seclabel type='dynamic' model='selinux' relabel='yes'> > <label>system_u:system_r:svirt_t:s0:c665,c969</label> > <imagelabel>system_u:object_r:svirt_image_t:s0:c665,c969</imagelabel> > </seclabel> > </domain>