[rsbac] kvm-guest in jail

Jens Kasten igraltist at rsbac.org
Sun Jan 16 16:12:30 CET 2011

Hi list,

I try to run a kvm-guest in a jail.
My network setup for is bridged.
The monitor option when I use tcp socket instead unix socket is
available on the host.
For monitor I would prefer to use the unix socket.
But then I get:
Sun Jan 16 14:34:27 2011 :<7>0000000864|rsbac_adf_request_jail():
process jail is 35, no allow_ipc and partner process unknown ->
Sun Jan 16 14:34:27 2011 :<6>0000000865|rsbac_adf_request(): request
ACCEPT, pid 9624, ppid 1, prog_name debian,
prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip,
target_type UNIXSOCK, tid Device 253:24 Inode 55284
Path /var/run/kvm/debian.socket, attr sock_type, value STREAM, result

For network setup adding the iface to the bridge does not work.
If really all fail I could use routing for guests.

This command I use to start a guest:
/usr/local/bin/rsbac_jail -I -d -D -K -E -C NET_RAW DAC_OVERRIDE
DAC_READ_SEARCH NET_ADMIN -M network sysctl /usr/bin/kvm-admin debian

And this shows the logfile:
Sun Jan 16 16:00:22 2011 :<6>0000001178|rsbac_adf_request(): request
MODIFY_SYSTEM_DATA, pid 16483, ppid 16482, prog_name brctl,
prog_file /sbin/brctl, uid 0, remote ip, target_type NETDEV,
tid local, attr none, value none, result NOT_GRANTED by JAIL


More information about the rsbac mailing list