search for: virtd_t

...saying "error : virSecurityDriverLookup:74 : internal error Security driver selinux not found". SELinux is in a permissive mode but is not enforcing. ?The current situation is as follows: * The label of an LXC container is not properly done: $ ps auxZ | grep lxc unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 root 27998 0.0 ?0.0 34716 1160 ? ?Ss ? 11:54 ? 0:00 /usr/libexec/libvirt_lxc --name instance-0000001f --console 16 --security=none --handshake 19 --background --veth veth1 * This is the lable of libvirtd process: $ ps auxZ | grep libvirtd unconfined_u:system_r:virtd_t:s0-s0:c0.c102...

On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on

...mate) made is in this PR, where > I want to add a tap device in virt-handler (i.e. the super privileged > container) to be further uses in virt-launcher (i.e. the non-privileged > container): https://github.com/kubevirt/kubevirt/pull/3290 In normal host OS deployment, libvirtd runs under virtd_t, and when it spawns QEMU, it will relabel files to svirt_image_t:s0:$MCS, and spawn QEMU as svirt_t:s0:$MCS. My understanding is what in kubevirt, things work differently. Docker (or podman), launch the container as container_t:s0:$MCS. libvirtd *and* QEMU thus both run as container_t:s0:$MCS. i...

...; where > > I want to add a tap device in virt-handler (i.e. the super privileged > > container) to be further uses in virt-launcher (i.e. the non-privileged > > container): https://github.com/kubevirt/kubevirt/pull/3290 > > In normal host OS deployment, libvirtd runs under virtd_t, and when > it spawns QEMU, it will relabel files to svirt_image_t:s0:$MCS, and > spawn QEMU as svirt_t:s0:$MCS. > > My understanding is what in kubevirt, things work differently. Docker > (or podman), launch the container as container_t:s0:$MCS. libvirtd > *and* QEMU thus both...

...mg -rw-------. qemu qemu system_u:object_r:svirt_image_t:s0:c122,c658 vm2.img Trying to read/write on vm1 will generate AVC messages Seen following message in /var/log/audit/audit.log : type=VIRT_RESOURCE msg=audit(1332310867.790:10312): user pid=5114 uid=0 auid=0 ses=3 subj=unconfined_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=disk reason=attach vm="vm2" uuid=b07607f8-2d03-cc1f-272b-22863667d1a4 old-disk="?" new-disk="/var/lib/libvirt/images/vm1.img": exe=2F7573722F7362696E2F6C69627669727464202864656C6574656429 hostname=? addr=? terminal=? res=success...