[rsbac] kvm-guest in jail
Jens Kasten
igraltist at rsbac.org
Sun Jan 16 16:12:30 CET 2011
Hi list,
I try to run a kvm-guest in a jail.
My network setup for is bridged.
The monitor option when I use tcp socket instead unix socket is
available on the host.
For monitor I would prefer to use the unix socket.
But then I get:
Sun Jan 16 14:34:27 2011 :<7>0000000864|rsbac_adf_request_jail():
process jail is 35, no allow_ipc and partner process unknown ->
NOT_GRANTED!
Sun Jan 16 14:34:27 2011 :<6>0000000865|rsbac_adf_request(): request
ACCEPT, pid 9624, ppid 1, prog_name debian,
prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip 192.168.1.5,
target_type UNIXSOCK, tid Device 253:24 Inode 55284
Path /var/run/kvm/debian.socket, attr sock_type, value STREAM, result
NOT_GRANTED by JAIL
For network setup adding the iface to the bridge does not work.
If really all fail I could use routing for guests.
This command I use to start a guest:
/usr/local/bin/rsbac_jail -I 0.0.0.0 -d -D -K -E -C NET_RAW DAC_OVERRIDE
DAC_READ_SEARCH NET_ADMIN -M network sysctl /usr/bin/kvm-admin debian
boot
And this shows the logfile:
Sun Jan 16 16:00:22 2011 :<6>0000001178|rsbac_adf_request(): request
MODIFY_SYSTEM_DATA, pid 16483, ppid 16482, prog_name brctl,
prog_file /sbin/brctl, uid 0, remote ip 127.0.0.1, target_type NETDEV,
tid local, attr none, value none, result NOT_GRANTED by JAIL
Grüsse
Jens
More information about the rsbac
mailing list