similar to: SELinux for separate shared folders

Milan Zamazal <mzamazal@redhat.com> writes: > Daniel P. Berrangé <berrange@redhat.com> writes: > >> On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote: >>> The second problem is that a VM fails to start with a backing NVDIMM in >>> devdax mode due to SELinux preventing access to the /dev/dax* device (it >>> doesn't happen with any

Hello, I'm using HP homeserver where host system run CentOS 6.3 with KVM virtualization with SELinux enabled, guests too run the same OS (but without SELinux, but this does not matter). Host system installed on mirrors based on sda and sdb physical disks. sd{c..f} disks attached to KVM guest (whole disks, not partitions; needed to use zfs (zfsonlinux) benefit features). Problem is that disks

Libvirt doesn't care about security during hot add disk images. It even accepts addition of disk images of other guest running on the host. Steps followed to create this scenario : Started two VMs with following security configurations: vm1: <seclabel type='dynamic' model='selinux' relabel='yes'>

On Tue, Jul 14, 2020 at 04:02:17PM +0300, Ram Lavi wrote: > On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> > wrote: > > > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > > Hello all, > > > > > > tl;dr, can you point me to the point in the libvirt repo where it's > > trying > > > to change a

On Tue, Jul 14, 2020 at 6:03 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 04:02:17PM +0300, Ram Lavi wrote: > > On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> > > wrote: > > > > > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > > > Hello all, > > > > > >

On Tue, Apr 12, 2011 at 7:17 PM, Negative <negativebinomial at gmail.com>wrote: > I built a new VM under KVM today and I've been getting a slew of message > that selinux is blocking virtmanager from reading the new image. This > doesn't seem to be doing any harm, but I wanted to check whether I should > simply run chcon on the image (if I can). > > Virtmanager

I built a new VM under KVM today and I've been getting a slew of message that selinux is blocking virtmanager from reading the new image. This doesn't seem to be doing any harm, but I wanted to check whether I should simply run chcon on the image (if I can). Virtmanager show up as usr_t, as do my other vm images, but the new one is svirt_image_t. The selinux error says it denied a read

On Tue, Jul 14, 2020 at 3:33 PM Daniel P. Berrangé <berrange@redhat.com> wrote: > On Tue, Jul 14, 2020 at 03:21:17PM +0300, Ram Lavi wrote: > > Hello all, > > > > tl;dr, can you point me to the point in the libvirt repo where it's > trying > > to change a tap-device's SELinux label? > > > > I am trying to create a tap device with libvirt on

Hello list, my name is Matteo, i'm new on that list. I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I try to configure SELinux using svirt and MCS. I try the secmodel type dynamic and static in

On Thu, Oct 31, 2013 at 04:32:45PM +0100, Matteo Piccinini wrote: > Hello list, > > my name is Matteo, i'm new on that list. > I'm working on a multitenancy platform with linux containers through libvirt on a production system with Red Hat 6.4. > Every container run a separate instance of OpenSSH and Apache HTTPd and I need to give root privileges to the developers and I

https://bugzilla.redhat.com/show_bug.cgi?id=912499 (especially comments 7 & 10) This patch set is the final fix so that we can access disks in use by other guests when SELinux and sVirt are enabled. Previously such disks were inaccessible because sVirt labels the disks with a random SELinux label to prevent other instances of qemu from being able to read them. So naturally the libguestfs

On 08/19/2013 01:51 PM, Cristian Ciupitu wrote: > Hi, > > I'm installing the operating system for my virtual machines from CD > images and I would like for libvirtd to stop relabeling the > corresponding files. Since the installation media is no big secret, I > have labeled the files with system_u:object_r:public_content_t:s0, but > libvirtd keeps changing them to

[Moving this to the libguestfs mailing list] On Mon, Jan 13, 2014 at 03:05:14PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/13/2014 11:49 AM, Richard W.M. Jones wrote: > > On Mon, Jan 13, 2014 at 10:20:22AM -0500, Daniel J Walsh wrote: > >> Secondly we prevent even unconfined_t from putting down labels on the > >>

I just want to bring everyone's attention this important bug in Fedora 18. It looks like people are now starting to upgrade to F18 and are hitting this bug. https://bugzilla.redhat.com/show_bug.cgi?id=912499 In brief, when virt-manager runs, it starts some libguestfs instances in the background to inspect guests. Starting with Fedora 18 these use libvirt and because of a bad interaction

https://bugzilla.mindrot.org/show_bug.cgi?id=2482 Bug ID: 2482 Summary: SELinux integration Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=3641 Bug ID: 3641 Summary: Improved SELinux support for openssh Product: Portable OpenSSH Version: 9.5p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at

Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Jul 02, 2020 at 01:21:15PM +0200, Milan Zamazal wrote: >> Hi, >> > >> I've met two situations with NVDIMM support in libvirt where I'm not >> sure all the parties (libvirt & I) do the things correctly. >> >> The first problem is with memory alignment and size changes. In

On Aug 21, 2018, at 4:34 PM, Nataraj <incoming-centos at rjl.com> wrote: > > On 08/21/2018 02:20 PM, Warren Young wrote: >> On Aug 21, 2018, at 1:27 PM, Nataraj <incoming-centos at rjl.com> wrote: >>> I have a web application which uses sudo to invoke python scripts as the >>> user under which the application runs (NO root access). >> Why is the web

On 01/23/2015 06:01 PM, Stephen Harris wrote: > At work I'm used to tools like eTrust Access Control (aka SEOS). eTrust > takes away the ability to manage the eTrust config from root and puts it > in the hands of "security admin". So there's a good separation of duties; > security admin control the security ruleset, but are limited by the OS > permissions (so

Exactly, SELinux is great. Its a good room to have when you can get it working and it's another good layer of protection. Its better to learn to use the tool then just turn it off. Not every label has a rw option but it never hurts to try. :-) On Jan 22, 2015 1:18 PM, "Tim Dunphy" <bluethundr at gmail.com> wrote: > > > > The easiest answer is to edit the Selinux