Libvirt virtualization policies

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Re: Libvirt virtualization policies

Postby timbgo » Mon Mar 06, 2017 9:44 am

diff -u grsec_170303_g0n_00 grsec_170306_g0n_00
Code: Select all
--- grsec_170303_g0n_00   2017-03-03 16:57:05.000000000 +0100
+++ grsec_170306_g0n_00   2017-03-06 13:47:45.659353920 +0100
@@ -3241,7 +3241,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/bin/virt-install ol
+subject /usr/bin/virt-install oOl
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
    /            h
@@ -3588,7 +3588,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/libexec/libvirt-guests.sh ol
+subject /usr/libexec/libvirt-guests.sh oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /               h
@@ -3597,7 +3597,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/libexec/libvirt_iohelper ol
+subject /usr/libexec/libvirt_iohelper oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /               h
@@ -3606,7 +3606,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/libexec/libvirt_leaseshelper ol
+subject /usr/libexec/libvirt_leaseshelper oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /               h
@@ -3752,7 +3752,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/sbin/libvirtd ol
+subject /usr/sbin/libvirtd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h
@@ -3761,7 +3761,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/sbin/virtlockd ol
+subject /usr/sbin/virtlockd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h
@@ -3770,7 +3770,7 @@
    connect   disabled
 
 # Role: root
-subject /usr/sbin/virtlogd ol
+subject /usr/sbin/virtlogd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h
@@ -7149,7 +7149,7 @@
    connect   disabled
 
 # Role: miro
-subject /usr/libexec/libvirt-guests.sh ol
+subject /usr/libexec/libvirt-guests.sh oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /               h
@@ -7158,7 +7158,7 @@
    connect   disabled
 
 # Role: miro
-subject /usr/libexec/libvirt_iohelper ol
+subject /usr/libexec/libvirt_iohelper oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /               h
@@ -7167,7 +7167,7 @@
    connect   disabled
 
 # Role: miro
-subject /usr/libexec/libvirt_leaseshelper ol
+subject /usr/libexec/libvirt_leaseshelper oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /               h
@@ -7768,7 +7768,7 @@
    connect   disabled
 
 # Role: miro
-subject /usr/bin/virt-install ol
+subject /usr/bin/virt-install oOl
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
    /            h
@@ -8720,7 +8720,7 @@
    sock_allow_family unix inet
 
 # Role: miro
-subject /usr/sbin/libvirtd ol
+subject /usr/sbin/libvirtd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h
@@ -8729,7 +8729,7 @@
    connect   disabled
 
 # Role: miro
-subject /usr/sbin/virtlockd ol
+subject /usr/sbin/virtlockd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h
@@ -8738,7 +8738,7 @@
    connect   disabled
 
 # Role: miro
-subject /usr/sbin/virtlogd ol
+subject /usr/sbin/virtlogd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h


Code: Select all
$ GentooVM22.sh
qemu-img create -f qcow2 gentoo22.img 10G

Formatting 'gentoo22.img', fmt=qcow2 size=10737418240 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
WARNING  No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.

Starting install...
Creating domain...                                                           |    0 B  00:00:00     
Domain installation still in progress. You can reconnect to
the console to complete the installation process.
$


Code: Select all
Mar  6 13:50:23 g0n kernel: [18807.416246] grsec: (miro:U:/) exec of /usr/local/bin/uncenz-1st (uncenz-1st ) by /usr/local/bin/uncenz-1st[bash:7002] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4966] uid/euid:1000/1000 gid/egid:1000/1000

Happening in the host only for now.
Code: Select all
Mar  6 13:50:45 g0n kernel: [18829.480445] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  6 13:50:48 g0n kernel: [18831.766022] grsec: (miro:U:/) exec of /usr/local/bin/GentooVM22.sh (GentooVM22.sh ) by /usr/local/bin/GentooVM22.sh[bash:7143] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:49 g0n kernel: [18833.305683] grsec: (miro:U:/) exec of /usr/bin/qemu-img (qemu-img create -f qcow2 gentoo22.img 10G ) by /usr/bin/qemu-img[GentooVM22.sh:7144] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/GentooVM22.sh[GentooVM22.sh:7143] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:49 g0n kernel: [18833.414497] grsec: (miro:U:/usr/bin/virt-install) exec of /usr/bin/virt-install (virt-install --connect qemu:///system --machine q35 --virt-type kvm --name gentoo22 --disk gentoo22.img --memory 512 --network n) by /usr/bin/virt-install[GentooVM22.sh:7143] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:49 g0n kernel: [18833.435477] grsec: (miro:U:/) exec of /usr/share/virt-manager/virt-install (/usr/share/virt-manager/virt-install --connect qemu:///system --machine q35 --virt-type kvm --name gentoo22 --disk gentoo22.img ) by /usr/share/virt-manager/virt-install[virt-install:7143] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:49 g0n kernel: [18833.446690] grsec: (miro:U:/usr/bin/python2.7) exec of /usr/bin/python2.7 (python2.7 /usr/share/virt-manager/virt-install --connect qemu:///system --machine q35 --virt-type kvm --name gentoo22 --disk gen) by /usr/bin/python2.7[virt-install:7143] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:51 g0n kernel: [18834.679749] grsec: (miro:U:/sbin/ldconfig) exec of /sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[python2.7:7146] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:7143] uid/euid:1000/1000 gid/egid:1000/1000

In this section below is the crucial line:
Code: Select all
Mar  6 13:50:55 g0n dhcpcd[3564]: vnet0: waiting for carrier
Mar  6 13:50:55 g0n dhcpcd[3564]: vnet0: new hardware address: fe:54:00:5b:33:79
Mar  6 13:50:55 g0n dhcpcd[3564]: vnet0: carrier acquired
Mar  6 13:50:55 g0n kernel: [18839.667388] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:7193] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  6 13:50:55 g0n kernel: [18839.671863] grsec: (root:U:/usr/sbin/libvirtd) chdir to / by /usr/sbin/libvirtd[libvirtd:7194] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:4156] uid/euid:0/0 gid/egid:0/0
Mar  6 13:50:55 g0n dhcpcd[3564]: vnet0: IAID 00:5b:33:79
Mar  6 13:50:55 g0n dhcpcd[3564]: vnet0: adding address fe80::a5ed:5630:7968:bfbe
Mar  6 13:50:56 g0n kernel: [18839.679853] cgroup: libvirtd (4156) created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future.
Mar  6 13:50:56 g0n kernel: [18839.679858] cgroup: "memory" requires setting use_hierarchy to 1 on the root
Mar  6 13:50:56 g0n kernel: [18839.699067] grsec: (qemu:U:/) exec of /usr/bin/qemu-system-x86_64 (/usr/bin/qemu-system-x86_64 -name guest=gentoo22,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvi) by /usr/bin/qemu-system-x86_64[libvirtd:7195] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  6 13:50:56 g0n dhcpcd[3564]: vnet0: soliciting an IPv6 router
Mar  6 13:50:56 g0n dhcpcd[3564]: vnet0: soliciting a DHCP lease
Mar  6 13:50:56 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar  6 13:50:56 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar  6 13:50:56 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar  6 13:50:56 g0n kernel: [18840.334462] grsec: (miro:U:/) exec of /usr/bin/virt-viewer (virt-viewer --connect qemu:///system --wait gentoo22 ) by /usr/bin/virt-viewer[python2.7:7218] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:7143] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:56 g0n kernel: [18840.470353] grsec: (miro:U:/) denied socket(inet6,dgram,0) by /usr/bin/virt-viewer[virt-viewer:7218] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:7143] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:56 g0n kernel: [18840.471858] grsec: (miro:U:/) denied connect() to the unix domain socket /run/libvirt/libvirt-sock-ro by /usr/bin/virt-viewer[virt-viewer:7218] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:7143] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:50:57 g0n kernel: [18841.665337] virbr0: port 2(vnet0) entered learning state
Mar  6 13:51:00 g0n dhcpcd[3564]: virbr0: carrier acquired
Mar  6 13:51:00 g0n kernel: [18843.713346] virbr0: port 2(vnet0) entered forwarding state
Mar  6 13:51:00 g0n kernel: [18843.713351] virbr0: topology change detected, propagating
Mar  6 13:51:00 g0n kernel: [18843.715410] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:7219] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:00 g0n dhcpcd[3564]: virbr0: IAID 00:ea:ee:e9
Mar  6 13:51:00 g0n dhcpcd[3564]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar  6 13:51:00 g0n dhcpcd[3564]: virbr0: soliciting an IPv6 router
Mar  6 13:51:00 g0n dhcpcd[3564]: virbr0: soliciting a DHCP lease
Mar  6 13:51:01 g0n kernel: [18844.961111] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  6 13:51:01 g0n dhcpcd[3564]: vnet0: probing for an IPv4LL address
Mar  6 13:51:04 g0n kernel: [18848.043818] sky2 0000:06:00.0 eth1: Link is down
Mar  6 13:51:04 g0n dhcpcd[3564]: eth1: carrier lost
Mar  6 13:51:04 g0n kernel: [18848.045717] br0: port 1(eth1) entered disabled state

This is where I unplugged the cord.
Code: Select all
Mar  6 13:51:05 g0n dhcpcd[3564]: br0: carrier lost

All goes down, as it should.
Code: Select all
Mar  6 13:51:05 g0n dnsmasq[4320]: no servers found in /etc/resolv.conf, will retry
Mar  6 13:51:05 g0n kernel: [18849.196437] grsec: (root:U:/) exec of /bin/cat (cat /run/dhcpcd/resolv.conf.br0.ra ) by /bin/cat[dhcpcd-run-hook:7298] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7294] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n kernel: [18849.199422] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by /bin/rm[dhcpcd-run-hook:7299] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7294] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n kernel: [18849.203434] grsec: (root:U:/bin/chmod) exec of /bin/chmod (chmod 644 /etc/resolv.conf ) by /bin/chmod[dhcpcd-run-hook:7300] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7294] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n kernel: [18849.206437] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by /bin/rm[dhcpcd-run-hook:7301] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7294] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n dhcpcd[3564]: br0: deleting address fe80::30b7:84a9:5f50:6486
Mar  6 13:51:05 g0n dhcpcd[3564]: br0: deleting default route via 192.168.1.1
Mar  6 13:51:05 g0n dhcpcd[3564]: br0: deleting route to 192.168.1.0/24
Mar  6 13:51:05 g0n kernel: [18849.225510] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:7303] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n kernel: [18849.235478] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.br0.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:7305] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7303] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n kernel: [18849.238437] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.dhcp ) by /bin/rm[dhcpcd-run-hook:7306] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7303] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n kernel: [18849.241441] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.dhcp ) by /bin/rm[dhcpcd-run-hook:7307] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7303] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:05 g0n dhcpcd[3564]: virbr0: probing for an IPv4LL address
Mar  6 13:51:05 g0n dhcpcd[3564]: vnet0: using IPv4LL address 169.254.212.237
Mar  6 13:51:05 g0n dhcpcd[3564]: vnet0: adding route to 169.254.0.0/16
Mar  6 13:51:05 g0n dhcpcd[3564]: vnet0: adding default route

And this is me issuing uncenz-kill from the terminal in top right.
Code: Select all
Mar  6 13:51:07 g0n kernel: [18850.976484] grsec: (miro:U:/) exec of /usr/local/bin/uncenz-kill (uncenz-kill ) by /usr/local/bin/uncenz-kill[bash:7317] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4966] uid/euid:1000/1000 gid/egid:1000/1000

If you look up the script uncenz (on github, link given previously), you'll find that it greps such as below: "(egrep [d]umpcap )"; should be "grep -E" instead, will change that some day...
Code: Select all
Mar  6 13:51:07 g0n kernel: [18851.617926] grsec: (miro:U:/usr/bin/sudo) exec of /usr/bin/sudo (sudo -s ps aux ) by /usr/bin/sudo[uncenz-kill:7337] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:7336] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:51:07 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  6 13:51:07 g0n kernel: [18851.621711] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/bash -c ps aux ) by /bin/bash[sudo:7337] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:7336] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:51:07 g0n kernel: [18851.624284] grsec: (root:U:/bin/ps) exec of /bin/ps (ps aux ) by /bin/ps[bash:7337] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:7336] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:51:07 g0n kernel: [18851.646470] grsec: (miro:U:/) exec of /bin/egrep (egrep [d]umpcap ) by /bin/egrep[uncenz-kill:7343] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:7341] uid/euid:1000/1000 gid/egid:1000/1000

Have a look, these don't have any joyous stupid influence on connection, all is down already!
Code: Select all
Mar  6 13:51:08 g0n kernel: [18852.072346] grsec: (miro:U:/usr/bin/sudo) exec of /usr/bin/sudo (sudo -s kill 7049 7051 ) by /usr/bin/sudo[uncenz-kill:7345] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:7317] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:51:08 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill 7049 7051
Mar  6 13:51:08 g0n kernel: [18852.076369] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/bash -c kill 7049 7051 ) by /bin/bash[sudo:7345] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:7317] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:51:09 g0n dhcpcd[3564]: vnet0: no IPv6 Routers available
Mar  6 13:51:10 g0n dhcpcd[3564]: virbr0: using IPv4LL address 169.254.64.126
Mar  6 13:51:10 g0n dhcpcd[3564]: virbr0: adding route to 169.254.0.0/16
Mar  6 13:51:10 g0n dhcpcd[3564]: vnet0: deleting default route
Mar  6 13:51:10 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  6 13:51:10 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  6 13:51:10 g0n kernel: [18854.021124] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:10 g0n kernel: [18854.021246] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:10 g0n kernel: [18854.024479] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:7346] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  6 13:51:10 g0n kernel: [18854.034472] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /usr/bin/cmp[dhcpcd-run-hook:7348] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:7346] uid/euid:0/0 gid/egid:0/0

And this is where I started to prepared for posting. That, "/Cmn/mr/Grsec_170306_virt.txt", is the file where I'll put this worked exceprt from syslog in, among other pieces of text...
Code: Select all
Mar  6 13:51:53 g0n kernel: [18897.190704] grsec: (miro:U:/bin/cat) exec of /bin/cat (cat /Cmn/mr/Grsec_170306_virt.txt ) by /bin/cat[bash:7356] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  6 13:54:31 g0n kernel: [19055.275846] grsec: (root:U:/) exec of /bin/cat (cat /var/log/messages ) by /bin/cat[bash:7366] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4709] uid/euid:0/0 gid/egid:0/0


So what's missing? I won't tell you yet...

Just I'll post a successful boot.

And only minor (I hope) tweak shows still missing for guest to get a connection.

It'll be on the link that I already already promised in the previous post, the qemu-devuan-12.php page.

Looks like I'm finally getting there... Bear with me a little, pls.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Mon Mar 06, 2017 2:46 pm

It's all posted, for checking out, for confirmation to what I wrote in the two previous posts, and also the change I will post next, soon or later [2], that brought to finally (finally!) running VM in libvirt under grsecurity:
Gentoo, a friend of Devuan's, run in libvirt (12) (I still have to fix that title :-( ...some time)
https://www.croatiafidelis.hr/foss/cap/ ... uan-12.php
Just a little (I hope) is missing, soon, or later, to get this job finally done.
---
[2] I am allowing for the reader to figure it out on its own, in the meantime (I always bear in mind that newbies will be reading this, what can you? :P )
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Mon Mar 06, 2017 7:58 pm

I first used the line below to make out of the old policies that I listed the consecutive diffs among them, modified policies from those originally applied into other ones which in reality I haven't used, but should have used, right after spender suggested to add the "O" to the libvirt binaries subjects in learning...

It's not that I understand thourough what I'm doing, I'm not a programmer, but I guess generally to have a subject use writeable libraries, doesn't sound appealing... But. hey, my policies for Libvirt only started finally working under grsecurity's RBAC enabled *after* I added the "O" (there was one subject to add for learning, the virt-viewer, it will be seen in the diffs later). Well they started almost completely working, there's just the network connection to solve.


So, I first used this line to get the policies as if I had added the "O" before:

Code: Select all
for i in $(ls -1 grsec_170303_g0n_00 grsec_170304_g0n_0? grsec_170305_g0n_0?); do cat $i | sed 's/virt-install ol/virt-install oOl/' |sed 's/virt-viewer ol/virt-viewer oOl/' |sed 's/libvirt-guests.sh ol/libvirt-guests.sh oOl/' |sed 's/libvirt_iohelper ol/libvirt_iohelper oOl/' |sed 's/libvirt_leaseshelper ol/libvirt_leaseshelper oOl/' |sed 's/libvirtd ol/libvirtd oOl/' |sed 's/virtlockd ol/virtlockd oOl/' | sed 's/virtlogd ol/virtlogd oOl/' > ${i}_oOl ; done ;


Just to say why. Because the latest policy, the one that contains learning for the subject that I left newbies to figure out from the logs which one it was that was missing, that latest policy if grep'd this way, shows this output:

Code: Select all
# grep oOl grsec_170306_g0n_01 | sort -u
subject /usr/bin/virt-install oOl           
subject /usr/bin/virt-viewer oOl
subject /usr/libexec/libvirt-guests.sh oOl
subject /usr/libexec/libvirt_iohelper oOl
subject /usr/libexec/libvirt_leaseshelper oOl
subject /usr/sbin/libvirtd oOl
subject /usr/sbin/virtlockd oOl
subject /usr/sbin/virtlogd oOl
#


But before I go on to possibly the final touches to Libvirt virtualization policies, let me give the solution for the homework assignment that I gave for the newbies, two posts ago:

diff -u grsec_170306_g0n_00 grsec_170306_g0n_01
Code: Select all
--- grsec_170306_g0n_00   2017-03-06 13:47:45.659353920 +0100
+++ grsec_170306_g0n_01   2017-03-06 14:29:56.520265937 +0100
@@ -3250,6 +3250,15 @@
    connect   disabled
 
 # Role: root
+subject /usr/bin/virt-viewer oOl
+user_transition_allow root qemu
+group_transition_allow root kvm libvirt qemu
+   /            h
+   -CAP_ALL
+   bind   disabled
+   connect   disabled
+
+# Role: root
 subject /usr/bin/wget o
    /            h
    /dev            h
@@ -7772,6 +7781,15 @@
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
    /            h
+   -CAP_ALL
+   bind   disabled
+   connect   disabled
+
+# Role: miro
+subject /usr/bin/virt-viewer oOl
+user_transition_allow root qemu
+group_transition_allow root kvm libvirt qemu
+   /            h
    -CAP_ALL
    bind   disabled
    connect   disabled
#


And now, with the line that I ran to get the " oOl" set for these subjects:
Code: Select all
/usr/bin/virt-install oOl /usr/bin/virt-viewer oOl /usr/libexec/libvirt-guests.sh oOl /usr/libexec/libvirt_iohelper oOl /usr/libexec/libvirt_leaseshelper oOl /usr/sbin/libvirtd oOl /usr/sbin/virtlockd oOl /usr/sbin/virtlogd oOl

before I make more changes, I got these modified-from-previously-applied policies:

Code: Select all
# ls -l grsec_17030?_g0n_0?_oOl
-rw-r--r-- 1 root root 169471 2017-03-06 22:22 grsec_170303_g0n_00_oOl
-rw-r--r-- 1 root root 169676 2017-03-06 22:22 grsec_170304_g0n_00_oOl
-rw-r--r-- 1 root root 169699 2017-03-06 22:22 grsec_170304_g0n_01_oOl
-rw-r--r-- 1 root root 169721 2017-03-06 22:22 grsec_170304_g0n_02_oOl
-rw-r--r-- 1 root root 170094 2017-03-06 22:22 grsec_170304_g0n_03_oOl
-rw-r--r-- 1 root root 170156 2017-03-06 22:22 grsec_170304_g0n_04_oOl
-rw-r--r-- 1 root root 170245 2017-03-06 22:22 grsec_170304_g0n_05_oOl
-rw-r--r-- 1 root root 170319 2017-03-06 22:22 grsec_170304_g0n_06_oOl
-rw-r--r-- 1 root root 170409 2017-03-06 22:22 grsec_170304_g0n_07_oOl
-rw-r--r-- 1 root root 170425 2017-03-06 22:22 grsec_170305_g0n_00_oOl
-rw-r--r-- 1 root root 170441 2017-03-06 22:22 grsec_170305_g0n_01_oOl
-rw-r--r-- 1 root root 170494 2017-03-06 22:22 grsec_170305_g0n_02_oOl
-rw-r--r-- 1 root root 170579 2017-03-06 22:22 grsec_170305_g0n_03_oOl
#



I'll try and add the complete change of that succession, i.e., I'll try and, first, see the diff btwn grsec_170305_g0n_03_oOl and grsec_170306_g0n_01, and make (I'll do it with vimdiff) grsec_170307_g0n_00 out of them:

Code: Select all
# diffing_script.sh
'/Cmn/m/B/Virt_170305/grsec_list_CMD.txt' -> '/Cmn/m/B/Virt_170305/grsec_list_CMD.txt_170307_000450'

give the files to diff
grsec_170305_g0n_03_oOl grsec_170306_g0n_01
$textfiles_to_diff: grsec_170305_g0n_03_oOl grsec_170306_g0n_01
...


etc. got me:

diff -u5 ./grsec_170305_g0n_03_oOl ./grsec_170306_g0n_01

Code: Select all
--- ./grsec_170305_g0n_03_oOl   2017-03-06 22:22:56.924279318 +0100
+++ ./grsec_170306_g0n_01   2017-03-06 14:29:56.520265937 +0100
@@ -628,12 +628,12 @@
 role root uG
 role_transitions admin shutdown
 role_allow_ip   192.168.2.0/24
 role_allow_ip   192.168.3.0/24
 role_allow_ip   0.0.0.0/32
-user_transition_allow apache miro tcpdump qemu dnsmasq
-group_transition_allow apache miro tcpdump kvm libvirt qemu dnsmasq
+user_transition_allow apache miro tcpdump qemu
+group_transition_allow apache miro tcpdump kvm libvirt qemu
 # Role: root
 subject /
    /               h
    /Cmn            r
    /Cmn/Kaff         rwxcd
@@ -1895,12 +1895,10 @@
    bind   disabled
    connect   disabled
 
 # Role: root
 subject /sbin/init o
-user_transition_allow root nobody dnsmasq
-group_transition_allow root nobody dnsmasq
    /            h
    /bin
    /bin/login         x
    /dev            h
    /dev/console         rw
@@ -1912,18 +1910,14 @@
    /sbin/agetty         x
    /usr
    /usr/bin
    /usr/bin/gpg-agent      rx
    /usr/sbin/conntrackd   r
-   /usr/sbin/dnsmasq      x
    /var            h
    /var/log/wtmp         w
    /var/lib/dhcpcd         w
    -CAP_ALL
-   +CAP_NET_BIND_SERVICE
-   +CAP_NET_ADMIN
-   +CAP_NET_RAW
    +CAP_MKNOD
    bind   disabled
    connect   disabled
 
 # Role: root
@@ -3753,22 +3747,10 @@
    bind   disabled
    connect   disabled
    sock_allow_family unix inet
 
 # Role: root
-subject /usr/sbin/dnsmasq ol
-user_transition_allow root nobody dnsmasq
-group_transition_allow root nobody dnsmasq
-   /            h
-   -CAP_ALL
-   +CAP_NET_ADMIN
-   +CAP_NET_BIND_SERVICE
-   +CAP_NET_RAW
-   bind   disabled
-   connect   disabled
-
-# Role: root
 subject /usr/sbin/gpm o
    /            h
    /dev/input/mice         rw
    /dev            h
    /dev/tty*         rw
@@ -4620,14 +4602,10 @@
 
 role libvirt gl
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
 
-role dnsmasq gl
-user_transition_allow root nobody dnsmasq
-group_transition_allow root nobody dnsmasq
-
 role mysql u
 #role_allow_ip   0.0.0.0/32
 user_transition_allow root
 group_transition_allow root
 # Role: mysql
@@ -4769,12 +4747,12 @@
    +CAP_DAC_OVERRIDE
    bind 0.0.0.0/32:0 dgram ip
    connect 127.0.0.1/32:53 dgram udp
 
 role miro u
-user_transition_allow qemu dnsmasq
-group_transition_allow kvm libvirt qemu dnsmasq
+user_transition_allow qemu
+group_transition_allow kvm libvirt qemu
 role_allow_ip   0.0.0.0/32
 # Role: miro
 subject /
    /               h
    /Cmn            r
@@ -7805,11 +7783,11 @@
    /            h
    -CAP_ALL
    bind   disabled
    connect   disabled
 
-# Role: root
+# Role: miro
 subject /usr/bin/virt-viewer oOl
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
    /            h
    -CAP_ALL
@@ -8758,22 +8736,10 @@
    bind   disabled
    connect   disabled
    sock_allow_family unix inet
 
 # Role: miro
-subject /usr/sbin/dnsmasq ol
-user_transition_allow root nobody dnsmasq
-group_transition_allow root nobody dnsmasq
-   /            h
-   -CAP_ALL
-   +CAP_NET_ADMIN
-   +CAP_NET_BIND_SERVICE
-   +CAP_NET_RAW
-   bind   disabled
-   connect   disabled
-
-# Role: miro
 subject /usr/sbin/libvirtd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
    /            h
    -CAP_ALL


And this is the change from the last applied policy:

Code: Select all
# diff -u  grsec_170306_g0n_01    grsec_170307_g0n_00
--- grsec_170306_g0n_01   2017-03-06 14:29:56.520265937 +0100
+++ grsec_170307_g0n_00   2017-03-07 00:10:26.970055088 +0100
@@ -630,8 +630,8 @@
 role_allow_ip   192.168.2.0/24
 role_allow_ip   192.168.3.0/24
 role_allow_ip   0.0.0.0/32
-user_transition_allow apache miro tcpdump qemu
-group_transition_allow apache miro tcpdump kvm libvirt qemu
+user_transition_allow apache miro tcpdump qemu dnsmasq
+group_transition_allow apache miro tcpdump kvm libvirt qemu dnsmasq
 # Role: root
 subject /
    /               h
@@ -1897,6 +1897,8 @@
 
 # Role: root
 subject /sbin/init o
+user_transition_allow root nobody dnsmasq
+group_transition_allow root nobody dnsmasq
    /            h
    /bin
    /bin/login         x
@@ -1912,10 +1914,14 @@
    /usr/bin
    /usr/bin/gpg-agent      rx
    /usr/sbin/conntrackd   r
+   /usr/sbin/dnsmasq      x
    /var            h
    /var/log/wtmp         w
    /var/lib/dhcpcd         w
    -CAP_ALL
+   +CAP_NET_BIND_SERVICE
+   +CAP_NET_ADMIN
+   +CAP_NET_RAW
    +CAP_MKNOD
    bind   disabled
    connect   disabled
@@ -3749,6 +3755,18 @@
    sock_allow_family unix inet
 
 # Role: root
+subject /usr/sbin/dnsmasq ol
+user_transition_allow root nobody dnsmasq
+group_transition_allow root nobody dnsmasq
+   /            h
+   -CAP_ALL
+   +CAP_NET_ADMIN
+   +CAP_NET_BIND_SERVICE
+   +CAP_NET_RAW
+   bind   disabled
+   connect   disabled
+
+# Role: root
 subject /usr/sbin/gpm o
    /            h
    /dev/input/mice         rw
@@ -4604,6 +4622,10 @@
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
 
+role dnsmasq gl
+user_transition_allow root nobody dnsmasq
+group_transition_allow root nobody dnsmasq
+
 role mysql u
 #role_allow_ip   0.0.0.0/32
 user_transition_allow root
@@ -4749,8 +4771,8 @@
    connect 127.0.0.1/32:53 dgram udp
 
 role miro u
-user_transition_allow qemu
-group_transition_allow kvm libvirt qemu
+user_transition_allow qemu dnsmasq
+group_transition_allow kvm libvirt qemu dnsmasq
 role_allow_ip   0.0.0.0/32
 # Role: miro
 subject /
@@ -8738,6 +8760,18 @@
    sock_allow_family unix inet
 
 # Role: miro
+subject /usr/sbin/dnsmasq ol
+user_transition_allow root nobody dnsmasq
+group_transition_allow root nobody dnsmasq
+   /            h
+   -CAP_ALL
+   +CAP_NET_ADMIN
+   +CAP_NET_BIND_SERVICE
+   +CAP_NET_RAW
+   bind   disabled
+   connect   disabled
+
+# Role: miro
 subject /usr/sbin/libvirtd oOl
 user_transition_allow qemu
 group_transition_allow kvm libvirt qemu
#


As usual now:

Code: Select all
# cp -iav grsec_170307_g0n_00 /etc/grsec/policy
cp: overwrite '/etc/grsec/policy'? y
'grsec_170307_g0n_00' -> '/etc/grsec/policy'
# gradm -D
Password:
# gradm -L /etc/grsec/learning.logs -E
Warning: write access is allowed to your subject for /home/miro/jpm/bin/jpm in role miro.  Please ensure that the subject is running with less privilege than the default subject.
#


I really should have abandoned unsuccessful install of that javascript program installed in /home/miro, but it's only a nuissance, not real harm...


Code: Select all
# gradm -a admin
Password:
# grep RBAC /proc/$$/status
RBAC:   admin:S:/
#


And, let's try if we get any connection in the host under grsecurity...

Code: Select all
# virsh
Welcome to virsh, the virtualisation interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # shutdown gentoo22
error: failed to get domain 'gentoo22'
error: Domain not found: no domain with matching name 'gentoo22'

virsh # destroy gentoo22
error: failed to get domain 'gentoo22'
error: Domain not found: no domain with matching name 'gentoo22'

virsh # undefine gentoo22 --remove-all-storage --managed-save --snapshots-metadata
error: failed to get domain 'gentoo22'
error: Domain not found: no domain with matching name 'gentoo22'

virsh #


meaning we can run yesterday's script.

It got the GUI up and running, booted Gentoo, but didn't get the connection. Very similar like already seen. Today's changes didn't help in the least...

The syslog:

messages_170307_002046_g0n.2

Code: Select all
Mar  7 00:18:27 g0n kernel: [56491.359436] grsec: (miro:U:/) exec of /usr/local/bin/uncenz-1st (uncenz-1st ) by /usr/local/bin/uncenz-1st[bash:23368] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4966] uid/euid:1000/1000 gid/egid:1000/1000

...
Code: Select all
Mar  7 00:18:41 g0n dhcpcd[3564]: eth1: carrier acquired
Mar  7 00:18:41 g0n kernel: [56505.837087] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23442] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:41 g0n dhcpcd[3564]: eth1: IAID 2e:fd:24:9c
Mar  7 00:18:41 g0n dhcpcd[3564]: eth1: IAID conflicts with one assigned to br0
Mar  7 00:18:41 g0n dhcpcd[3564]: eth1: adding address fe80::30b7:84a9:5f50:6486
Mar  7 00:18:41 g0n dhcpcd[3564]: br0: carrier acquired
Mar  7 00:18:41 g0n kernel: [56505.849293] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23444] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:41 g0n dhcpcd[3564]: br0: IAID 2e:fd:24:9c
Mar  7 00:18:41 g0n dhcpcd[3564]: br0: IAID conflicts with one assigned to eth1
Mar  7 00:18:41 g0n dhcpcd[3564]: eth1: deleting address fe80::30b7:84a9:5f50:6486
Mar  7 00:18:41 g0n dhcpcd[3564]: br0: adding address fe80::30b7:84a9:5f50:6486
Mar  7 00:18:42 g0n dhcpcd[3564]: eth1: soliciting a DHCP lease
Mar  7 00:18:42 g0n dhcpcd[3564]: eth1: soliciting an IPv6 router
Mar  7 00:18:42 g0n dhcpcd[3564]: br0: soliciting an IPv6 router
Mar  7 00:18:42 g0n dhcpcd[3564]: br0: rebinding lease of 192.168.1.4
Mar  7 00:18:43 g0n dhcpcd[3564]: br0: Router Advertisement from fe80::1
Mar  7 00:18:43 g0n dhcpcd[3564]: br0: adding default route via fe80::1
Mar  7 00:18:43 g0n kernel: [56507.336929] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23445] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.355762] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23447] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.357739] grsec: (root:U:/) exec of /bin/sed (sed -n s/^domain //p br0.ra ) by /bin/sed[dhcpcd-run-hook:23448] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23447] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.361519] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23449] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.363544] grsec: (root:U:/) exec of /bin/sed (sed -n s/^search //p br0.ra ) by /bin/sed[dhcpcd-run-hook:23450] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23449] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.371270] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23451] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.372096] grsec: (root:U:/) exec of /bin/sed (sed -n s/^nameserver //p br0.ra ) by /bin/sed[dhcpcd-run-hook:23452] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23451] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.377878] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.br0.ra ) by /usr/bin/cmp[dhcpcd-run-hook:23454] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.380608] grsec: (root:U:/) exec of /bin/cat (cat /run/dhcpcd/resolv.conf.br0.ra ) by /bin/cat[dhcpcd-run-hook:23455] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 00:18:43 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 00:18:43 g0n kernel: [56507.382629] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by /bin/rm[dhcpcd-run-hook:23456] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.384594] grsec: (root:U:/bin/chmod) exec of /bin/chmod (chmod 644 /etc/resolv.conf ) by /bin/chmod[dhcpcd-run-hook:23457] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.388479] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ra ) by /bin/rm[dhcpcd-run-hook:23458] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23445] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n kernel: [56507.394629] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:23460] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23459] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:43 g0n dhcpcd[3564]: br0: requesting DHCPv6 information

...
Code: Select all
Mar  7 00:18:47 g0n dhcpcd[3564]: br0: soliciting a DHCP lease
Mar  7 00:18:48 g0n dhcpcd[3564]: br0: offered 192.168.1.4 from 192.168.1.1
Mar  7 00:18:48 g0n dhcpcd[3564]: br0: probing address 192.168.1.4/24
Mar  7 00:18:52 g0n dhcpcd[3564]: br0: using IPv4LL address 169.254.217.174
Mar  7 00:18:52 g0n dhcpcd[3564]: br0: adding route to 169.254.0.0/16
Mar  7 00:18:52 g0n dhcpcd[3564]: br0: adding default route

...
Code: Select all
Mar  7 00:18:52 g0n kernel: [56516.318139] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23504] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23494] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:52 g0n kernel: [56516.320342] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23505] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23494] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:52 g0n kernel: [56516.326647] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:23507] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23506] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:52 g0n dhcpcd[3564]: eth1: using IPv4LL address 169.254.217.174
Mar  7 00:18:52 g0n dhcpcd[3564]: eth1: adding route to 169.254.0.0/16
Mar  7 00:18:52 g0n dhcpcd[3564]: br0: deleting default route

...
Code: Select all
Mar  7 00:18:53 g0n kernel: [56517.461341] grsec: (miro:U:/) exec of /usr/local/bin/GentooVM22.sh (GentooVM22.sh ) by /usr/local/bin/GentooVM22.sh[bash:23524] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:18:53 g0n dhcpcd[3564]: br0: leased 192.168.1.4 for infinity
Mar  7 00:18:53 g0n dhcpcd[3564]: br0: adding route to 192.168.1.0/24
Mar  7 00:18:53 g0n dhcpcd[3564]: br0: adding default route via 192.168.1.1
Mar  7 00:18:53 g0n kernel: [56517.514616] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23525] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.529989] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23527] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.530662] grsec: (root:U:/) exec of /bin/sed (sed -n s/^domain //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23528] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23527] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.532942] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23529] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.533536] grsec: (root:U:/) exec of /bin/sed (sed -n s/^search //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23530] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23529] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.535854] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23531] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.536496] grsec: (root:U:/) exec of /bin/sed (sed -n s/^nameserver //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23532] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23531] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.540631] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.br0.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:23534] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.542285] grsec: (root:U:/) exec of /bin/cat (cat /run/dhcpcd/resolv.conf.br0.dhcp ) by /bin/cat[dhcpcd-run-hook:23535] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 00:18:53 g0n dnsmasq[4320]: using nameserver 81.2.237.32#53
Mar  7 00:18:53 g0n dnsmasq[4320]: using nameserver 31.14.133.188#53
Mar  7 00:18:53 g0n dnsmasq[4320]: using nameserver 5.9.49.12#53
Mar  7 00:18:53 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 00:18:53 g0n kernel: [56517.544181] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.dhcp ) by /bin/rm[dhcpcd-run-hook:23536] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.545788] grsec: (root:U:/bin/chmod) exec of /bin/chmod (chmod 644 /etc/resolv.conf ) by /bin/chmod[dhcpcd-run-hook:23537] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.547322] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.br0.dhcp ) by /bin/rm[dhcpcd-run-hook:23538] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23525] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n kernel: [56517.551069] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:23540] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23539] uid/euid:0/0 gid/egid:0/0
Mar  7 00:18:53 g0n dhcpcd[3564]: br0: deleting route to 169.254.0.0/16

...
Code: Select all
Mar  7 00:18:54 g0n kernel: [56518.246925] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 00:18:55 g0n kernel: [56519.359077] grsec: (miro:U:/) exec of /usr/bin/qemu-img (qemu-img create -f qcow2 gentoo22.img 10G ) by /usr/bin/qemu-img[GentooVM22.sh:23555] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/GentooVM22.sh[GentooVM22.sh:23524] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:18:55 g0n kernel: [56519.493020] grsec: (miro:U:/usr/bin/virt-install) exec of /usr/bin/virt-install (virt-install --connect qemu:///system --machine q35 --virt-type kvm --name gentoo22 --disk gentoo22.img --memory 512 --network n) by /usr/bin/virt-install[GentooVM22.sh:23524] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:18:55 g0n kernel: [56519.522495] grsec: (miro:U:/) exec of /usr/share/virt-manager/virt-install (/usr/share/virt-manager/virt-install --connect qemu:///system --machine q35 --virt-type kvm --name gentoo22 --disk gentoo22.img ) by /usr/share/virt-manager/virt-install[virt-install:23524] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:18:55 g0n kernel: [56519.534298] grsec: (miro:U:/usr/bin/python2.7) exec of /usr/bin/python2.7 (python2.7 /usr/share/virt-manager/virt-install --connect qemu:///system --machine q35 --virt-type kvm --name gentoo22 --disk gen) by /usr/bin/python2.7[virt-install:23524] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4866] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:18:56 g0n kernel: [56520.700189] grsec: (miro:U:/sbin/ldconfig) exec of /sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[python2.7:23557] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:23524] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:19:00 g0n kernel: [56524.380074] grsec: (miro:U:/usr/bin/virt-viewer) exec of /usr/bin/virt-viewer (virt-viewer --version ) by /usr/bin/virt-viewer[python2.7:23565] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:23524] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:19:01 g0n kernel: [56525.040522] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-16-family-nl80211 ) by /bin/kmod[kworker/u8:1:23587] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:1:23206] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.043763] virbr0: port 2(vnet0) entered blocking state
Mar  7 00:19:01 g0n kernel: [56525.043773] virbr0: port 2(vnet0) entered disabled state
Mar  7 00:19:01 g0n kernel: [56525.044100] device vnet0 entered promiscuous mode
Mar  7 00:19:01 g0n kernel: [56525.048651] virbr0: port 2(vnet0) entered blocking state
Mar  7 00:19:01 g0n kernel: [56525.048655] virbr0: port 2(vnet0) entered listening state
Mar  7 00:19:01 g0n kernel: [56525.088265] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh vnet0 start ) by /lib64/udev/net.sh[udevd:23589] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:23588] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.101113] grsec: (root:U:/usr/sbin/libvirtd) chdir to / by /usr/sbin/libvirtd[libvirtd:23591] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:4155] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.112202] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23593] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.120012] grsec: (qemu:U:/) exec of /usr/bin/qemu-system-x86_64 (/usr/bin/qemu-system-x86_64 -name guest=gentoo22,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvi) by /usr/bin/qemu-system-x86_64[libvirtd:23592] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.125590] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23594] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: IAID 00:cf:cb:26
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: adding address fe80::10c9:b826:4d57:391f
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: carrier lost
Mar  7 00:19:01 g0n kernel: [56525.134254] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23595] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.142201] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23597] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23595] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.142915] grsec: (root:U:/) exec of /bin/sed (sed -n s/^domain //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23598] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23597] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.145915] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23599] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23595] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.146813] grsec: (root:U:/) exec of /bin/sed (sed -n s/^search //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23600] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23599] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.149460] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23601] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23595] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.150508] grsec: (root:U:/) exec of /bin/sed (sed -n s/^nameserver //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23602] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23601] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.158080] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:23604] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23595] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.160607] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /bin/rm[dhcpcd-run-hook:23605] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23595] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.162893] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /bin/rm[dhcpcd-run-hook:23606] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23595] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: deleting address fe80::10c9:b826:4d57:391f
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: carrier acquired
Mar  7 00:19:01 g0n kernel: [56525.171992] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23608] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: IAID 00:cf:cb:26
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: adding address fe80::10c9:b826:4d57:391f
Mar  7 00:19:01 g0n dhcpcd[3564]: vnet0: soliciting a DHCP lease
Mar  7 00:19:01 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar  7 00:19:01 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar  7 00:19:01 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar  7 00:19:01 g0n kernel: [56525.758176] grsec: (miro:U:/usr/bin/virt-viewer) exec of /usr/bin/virt-viewer (virt-viewer --connect qemu:///system --wait gentoo22 ) by /usr/bin/virt-viewer[python2.7:23631] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:23524] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:19:01 g0n kernel: [56525.775638] grsec: (root:U:/usr/sbin/crond) chdir to /root by /usr/sbin/crond[crond:23632] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:3884] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.775758] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/sh -c rm -f /var/spool/cron/lastrun/cron.hourly ) by /bin/bash[crond:23632] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:3884] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:01 g0n kernel: [56525.782103] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /var/spool/cron/lastrun/cron.hourly ) by /bin/rm[sh:23632] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/crond[crond:3884] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:02 g0n dhcpcd[3564]: vnet0: soliciting an IPv6 router
Mar  7 00:19:02 g0n kernel: [56525.920311] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c "/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/bash[X:23633] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:19:02 g0n kernel: [56525.929952] grsec: (miro:U:/) exec of /usr/bin/xkbcomp (/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap compiler (xkbcomp) reports: -emp >  -eml Errors from) by /usr/bin/xkbcomp[sh:23633] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:19:02 g0n kernel: [56525.932173] grsec: (miro:U:/) chdir to /usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:23633] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:19:03 g0n kernel: [56527.103583] virbr0: port 2(vnet0) entered learning state
Mar  7 00:19:05 g0n kernel: [56529.043585] kvm: zapping shadow pages for mmio generation wraparound
Mar  7 00:19:05 g0n kernel: [56529.151562] virbr0: port 2(vnet0) entered forwarding state
Mar  7 00:19:05 g0n kernel: [56529.151599] virbr0: topology change detected, propagating
Mar  7 00:19:05 g0n dhcpcd[3564]: virbr0: carrier acquired
Mar  7 00:19:05 g0n kernel: [56529.156341] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23636] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:05 g0n dhcpcd[3564]: virbr0: IAID 00:ea:ee:e9
Mar  7 00:19:05 g0n dhcpcd[3564]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar  7 00:19:05 g0n dhcpcd[3564]: virbr0: soliciting a DHCP lease
Mar  7 00:19:06 g0n dhcpcd[3564]: virbr0: soliciting an IPv6 router
Mar  7 00:19:06 g0n kernel: [56530.013227] kvm [23592]: vcpu0, guest rIP: 0xffffffff8103a831 unhandled rdmsr: 0xc0010048
Mar  7 00:19:06 g0n kernel: [56530.195123] kvm: zapping shadow pages for mmio generation wraparound
Mar  7 00:19:06 g0n dhcpcd[3564]: vnet0: probing for an IPv4LL address
Mar  7 00:19:10 g0n dhcpcd[3564]: virbr0: probing for an IPv4LL address
Mar  7 00:19:10 g0n kernel: [56534.554491] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 00:19:12 g0n dhcpcd[3564]: vnet0: using IPv4LL address 169.254.136.186
Mar  7 00:19:12 g0n dhcpcd[3564]: vnet0: adding route to 169.254.0.0/16
Mar  7 00:19:12 g0n kernel: [56535.979127] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23637] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56535.994856] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23639] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23637] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56535.996961] grsec: (root:U:/) exec of /bin/sed (sed -n s/^domain //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23640] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23639] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.000312] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23641] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23637] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.001248] grsec: (root:U:/) exec of /bin/sed (sed -n s/^search //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23642] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23641] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.007089] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23643] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23637] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.008561] grsec: (root:U:/) exec of /bin/sed (sed -n s/^nameserver //p br0.dhcp br0.dhcp6 br0.ra ) by /bin/sed[dhcpcd-run-hook:23644] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23643] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.015267] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.vnet0.ipv4ll ) by /usr/bin/cmp[dhcpcd-run-hook:23646] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23637] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.017002] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23647] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23637] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.018788] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23648] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23637] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:12 g0n kernel: [56536.022617] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:23650] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23649] uid/euid:0/0 gid/egid:0/0


Here are the errors:

Code: Select all
Mar  7 00:19:14 g0n dhcpcd[3564]: vnet0: no IPv6 Routers available
Mar  7 00:19:15 g0n dhcpcd[3564]: virbr0: using IPv4LL address 169.254.64.126
Mar  7 00:19:15 g0n dhcpcd[3564]: virbr0: adding route to 169.254.0.0/16
Mar  7 00:19:15 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:15 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:15 g0n kernel: [56539.819388] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:15 g0n kernel: [56539.819469] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

...
Code: Select all
Mar  7 00:19:19 g0n kernel: [56543.042870] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=01:00:5e:00:00:01:24:9e:ab:ab:0b:b3:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=36381 PROTO=2
Mar  7 00:19:31 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:cf:cb:26
Mar  7 00:19:31 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.52 52:54:00:cf:cb:26
Mar  7 00:19:31 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 00:19:31 g0n kernel: [56554.930213] grsec: (default:D:/) use of CAP_NET_RAW denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:31 g0n kernel: [56554.930348] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:34 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:cf:cb:26
Mar  7 00:19:34 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.52 52:54:00:cf:cb:26
Mar  7 00:19:34 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 00:19:34 g0n kernel: [56558.558858] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:41 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:cf:cb:26
Mar  7 00:19:41 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.52 52:54:00:cf:cb:26
Mar  7 00:19:41 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 00:19:41 g0n kernel: [56565.835969] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:42 g0n kernel: [56566.536666] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:fd:24:9c:2c:95:7f:14:4e:c6:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 00:19:58 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:cf:cb:26
Mar  7 00:19:58 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.52 52:54:00:cf:cb:26
Mar  7 00:19:58 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 00:19:58 g0n kernel: [56582.345743] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n dhcpcd[3564]: vnet0: carrier lost

...
Code: Select all
Mar  7 00:19:59 g0n kernel: [56583.732985] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /bin/rm[dhcpcd-run-hook:23688] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23678] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n kernel: [56583.734479] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /bin/rm[dhcpcd-run-hook:23689] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23678] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n kernel: [56583.750267] virbr0: port 2(vnet0) entered disabled state
Mar  7 00:19:59 g0n kernel: [56583.760121] device vnet0 left promiscuous mode
Mar  7 00:19:59 g0n kernel: [56583.760132] virbr0: port 2(vnet0) entered disabled state
Mar  7 00:19:59 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:59 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:59 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:59 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:59 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:59 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:19:59 g0n kernel: [56583.765086] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n kernel: [56583.765174] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n kernel: [56583.765311] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n kernel: [56583.765342] grsec: more alerts, logging disabled for 10 seconds
Mar  7 00:19:59 g0n kernel: [56583.767343] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh vnet0 stop ) by /lib64/udev/net.sh[udevd:23693] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:23691] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n dhcpcd[3564]: vnet0: deleting route to 169.254.0.0/16
Mar  7 00:19:59 g0n kernel: [56583.772955] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- netdev-vnet0 ) by /bin/kmod[kworker/u8:1:23694] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:1:23206] uid/euid:0/0 gid/egid:0/0
Mar  7 00:19:59 g0n kernel: [56583.774833] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- vnet0 grsec_modharden_netdev ) by /bin/kmod[kworker/u8:1:23695] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:1:23206] uid/euid:0/0 gid/egid:0/0

...
Code: Select all
Mar  7 00:20:00 g0n kernel: [56584.376032] virbr0: port 2(vnet0) entered blocking state
Mar  7 00:20:00 g0n kernel: [56584.376037] virbr0: port 2(vnet0) entered disabled state
Mar  7 00:20:00 g0n kernel: [56584.376164] device vnet0 entered promiscuous mode
Mar  7 00:20:00 g0n kernel: [56584.379261] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) chdir to /run/dhcpcd/resolv.conf by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23825] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23823] uid/euid:0/0 gid/egid:0/0

...
Code: Select all
Mar  7 00:20:00 g0n kernel: [56584.399664] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /bin/rm[dhcpcd-run-hook:23833] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23823] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:00 g0n kernel: [56584.401087] grsec: (root:U:/usr/sbin/libvirtd) chdir to / by /usr/sbin/libvirtd[libvirtd:23834] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:4152] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:00 g0n kernel: [56584.401260] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.dhcp ) by /bin/rm[dhcpcd-run-hook:23835] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23823] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:00 g0n kernel: [56584.406343] grsec: (qemu:U:/) exec of /usr/bin/qemu-system-x86_64 (/usr/bin/qemu-system-x86_64 -name guest=gentoo22,debug-threads=on -S -object secret,id=masterKey0,format=raw,file=/var/lib/libvi) by /usr/bin/qemu-system-x86_64[libvirtd:23836] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:00 g0n dhcpcd[3564]: vnet0: waiting for carrier
Mar  7 00:20:00 g0n dhcpcd[3564]: vnet0: new hardware address: fe:54:00:cf:cb:26
Mar  7 00:20:00 g0n dhcpcd[3564]: vnet0: carrier acquired
Mar  7 00:20:00 g0n kernel: [56584.409396] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23838] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:00 g0n dhcpcd[3564]: vnet0: IAID 00:cf:cb:26
Mar  7 00:20:00 g0n dhcpcd[3564]: vnet0: adding address fe80::10c9:b826:4d57:391f
Mar  7 00:20:00 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar  7 00:20:00 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar  7 00:20:00 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar  7 00:20:00 g0n kernel: [56584.589925] grsec: (miro:U:/usr/bin/virt-viewer) exec of /usr/bin/virt-viewer (virt-viewer --connect qemu:///system --wait gentoo22 ) by /usr/bin/virt-viewer[python2.7:23844] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:23524] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:20:00 g0n kernel: [56584.682136] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c "/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/bash[X:23845] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:00 g0n kernel: [56584.693149] grsec: (miro:U:/) exec of /usr/bin/xkbcomp (/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap compiler (xkbcomp) reports: -emp >  -eml Errors from) by /usr/bin/xkbcomp[sh:23845] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:00 g0n kernel: [56584.694903] grsec: (miro:U:/) chdir to /usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:23845] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:01 g0n dhcpcd[3564]: vnet0: soliciting a DHCP lease
Mar  7 00:20:01 g0n dhcpcd[3564]: vnet0: soliciting an IPv6 router
Mar  7 00:20:01 g0n kernel: [56585.491524] sky2 0000:06:00.0 eth1: Link is down
Mar  7 00:20:01 g0n kernel: [56585.493685] br0: port 1(eth1) entered disabled state
Mar  7 00:20:01 g0n dhcpcd[3564]: eth1: carrier lost

...
Code: Select all
Mar  7 00:20:01 g0n dhcpcd[3564]: eth1: deleting route to 169.254.0.0/16

...
Code: Select all
Mar  7 00:20:02 g0n kernel: [56586.431840] virbr0: port 2(vnet0) entered learning state

...
Code: Select all
Mar  7 00:20:03 g0n kernel: [56587.056998] grsec: (miro:U:/) chdir to /usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:23944] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:03 g0n kernel: [56587.075465] grsec: (miro:U:/bin/bash) exec of /bin/bash (sh -c "/usr/bin/xkbcomp" -w 1 "-R/usr/share/X11/xkb" -xkm "-" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " ) by /bin/bash[X:23945] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:03 g0n kernel: [56587.080247] grsec: (miro:U:/) exec of /usr/bin/xkbcomp (/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 The XKEYBOARD keymap compiler (xkbcomp) reports: -emp >  -eml Errors from) by /usr/bin/xkbcomp[sh:23945] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:03 g0n kernel: [56587.082029] grsec: (miro:U:/) chdir to /usr/share/X11/xkb by /usr/bin/xkbcomp[xkbcomp:23945] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/Xorg[X:4809] uid/euid:1000/0 gid/egid:1000/1000
Mar  7 00:20:04 g0n dhcpcd[3564]: virbr0: carrier acquired
Mar  7 00:20:04 g0n kernel: [56588.479824] virbr0: port 2(vnet0) entered forwarding state
Mar  7 00:20:04 g0n kernel: [56588.479836] virbr0: topology change detected, propagating
Mar  7 00:20:04 g0n kernel: [56588.484020] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23946] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:04 g0n dhcpcd[3564]: virbr0: IAID 00:ea:ee:e9
Mar  7 00:20:04 g0n dhcpcd[3564]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar  7 00:20:05 g0n dhcpcd[3564]: virbr0: soliciting a DHCP lease
Mar  7 00:20:05 g0n dhcpcd[3564]: virbr0: soliciting an IPv6 router
Mar  7 00:20:06 g0n dhcpcd[3564]: vnet0: probing for an IPv4LL address
Mar  7 00:20:08 g0n kernel: [56591.991951] grsec: (miro:U:/) exec of /usr/local/bin/uncenz-kill (uncenz-kill ) by /usr/local/bin/uncenz-kill[bash:23947] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4966] uid/euid:1000/1000 gid/egid:1000/1000

...
Code: Select all
Mar  7 00:20:09 g0n kernel: [56593.549339] grsec: (miro:U:/) exec of /bin/grep (grep -E [d]umpcap ) by /bin/grep[egrep:23973] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:23971] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:20:10 g0n dhcpcd[3564]: virbr0: probing for an IPv4LL address
Mar  7 00:20:10 g0n kernel: [56594.065770] grsec: (miro:U:/usr/bin/sudo) exec of /usr/bin/sudo (sudo -s kill 23416 23418 ) by /usr/bin/sudo[uncenz-kill:23975] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:23947] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:20:10 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill 23416 23418
Mar  7 00:20:10 g0n kernel: [56594.075066] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/bash -c kill 23416 23418 ) by /bin/bash[sudo:23975] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:23947] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 00:20:11 g0n dhcpcd[3564]: vnet0: using IPv4LL address 169.254.136.186
Mar  7 00:20:11 g0n dhcpcd[3564]: vnet0: adding route to 169.254.0.0/16
Mar  7 00:20:11 g0n dhcpcd[3564]: vnet0: adding default route
Mar  7 00:20:11 g0n kernel: [56595.377719] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23976] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:11 g0n kernel: [56595.395604] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.vnet0.ipv4ll ) by /usr/bin/cmp[dhcpcd-run-hook:23978] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23976] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:11 g0n kernel: [56595.399445] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23979] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23976] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:11 g0n kernel: [56595.403288] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.vnet0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23980] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23976] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:11 g0n kernel: [56595.407082] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:23982] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23981] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:14 g0n dhcpcd[3564]: vnet0: no IPv6 Routers available
Mar  7 00:20:15 g0n dhcpcd[3564]: virbr0: using IPv4LL address 169.254.64.126
Mar  7 00:20:15 g0n dhcpcd[3564]: virbr0: adding route to 169.254.0.0/16
Mar  7 00:20:15 g0n dhcpcd[3564]: vnet0: deleting default route
Mar  7 00:20:15 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:20:15 g0n dnsmasq[4320]: failed to create listening socket for 169.254.64.126: Permission denied
Mar  7 00:20:15 g0n kernel: [56599.141269] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:15 g0n kernel: [56599.141467] grsec: (default:D:/) use of CAP_NET_BIND_SERVICE denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:15 g0n kernel: [56599.142301] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:23984] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3564] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:15 g0n kernel: [56599.156106] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /usr/bin/cmp[dhcpcd-run-hook:23986] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23984] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:15 g0n kernel: [56599.157624] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23987] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23984] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:15 g0n kernel: [56599.158988] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:23988] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23984] uid/euid:0/0 gid/egid:0/0
Mar  7 00:20:15 g0n kernel: [56599.164734] grsec: (root:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[dhcpcd-run-hook:23990] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:23989] uid/euid:0/0 gid/egid:0/0


What should I do here, which way to turn. This looks unsolvable to me...

The "CAP_NET_BIND_SERVICE denied " and other errors with the dnsmasq than doesn't want to work...

I'll be asking for help someplace... libvirt-users ML? qemu-users, no, not probably qemu ML... this is libvirt and also network specific... Maybe latrc (Linux Advanced Routers and Traffic Control) ML... yes...

But even to be able to ask, I have to sort the logs and be able to ask questions.

I need to compare and find the exact stage where RBAC-disabled gets the connection and RBAC-enabled cannot get a connection... Yes, that's what I need to do first.

And if any readers here on grsec forums have any suggestion/advice, I'll be thankful!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Tue Mar 07, 2017 4:43 am

I have issued:

Code: Select all
mv -vi grsec_170307_g0n_00 grsec_170307_g0n_00_abandoned


and reverted the changes to yesterday morning's state of the policy:

Code: Select all
# diff grsec_170306_g0n_01 /etc/grsec/policy
#


The script that I ran this morning:

/usr/local/bin/DevuanVM22.sh
Code: Select all
#!/bin/sh
echo "qemu-img create -f qcow2 devuan22.img 10G"
read FAKE
qemu-img create -f qcow2 devuan22.img 10G
exec virt-install \
   --connect qemu:///system \
   --machine q35 \
   --virt-type kvm \
   --name devuan22 \
   --disk devuan22.img \
   --memory 512 \
   --network network=default \
   --graphics vnc \
   --cdrom unofficial_live_devuan_beta_amd64_snapshot-20161205_2229.iso \
   $@


( that in bottom, the CD, is Refracta, which is based on Devuan )

followed by:

Code: Select all
virsh # shutdown devuan22
Domain devuan22 is being shutdown

virsh # destroy devuan22
^[[ADomain devuan22 destroyed

virsh # undefine devuan22 --remove-all-storage --managed-save --snapshots-metadata
Domain devuan22 has been undefined
Volume 'sda'(/home/miro/devuan22.img) removed.

virsh #


so I can restart with the same script.

It is because of the interaction with something in, some functionality in grsecurity that I can't get the network connection for the guest.

I believe this study, for which this time I'll give link straight into this post, should enable some analysis fo figure out the missing touch to get Libvirt to work protected with grsecurity RBAC policy:

Devuan in VM with virt-install with grsec RBAC enabled and then disabled (13)
https://www.croatiafidelis.hr/foss/cap/ ... uan-13.php

Before I begin linking, let me tell you that you might find the script:
https://github.com/miroR/uncenz/blob/master/dump_dLo.sh
more useful, if you prefer to download all at once.

Here is the first run, with grsecurity RBAC enabled, the connection to the internet in the guest wasn't accomplished:

messages_170307_0611_g0n
Code: Select all
Mar  7 06:10:31 g0n kernel: [77615.554058] grsec: (root:U:/sbin/gradm) successful change to special role admin (id 7) by /sbin/gradm[gradm:27984] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4709] uid/euid:0/0 gid/egid:0/0
Mar  7 06:11:35 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c gradm -S
Mar  7 06:11:35 g0n kernel: [77679.295613] grsec: (miro:U:/) denied open of /sys/devices/system/cpu/online for reading by /usr/bin/pidof[pidof:28019] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-1st[uncenz-1st:28006] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 06:11:35 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:11:35 g0n kernel: [77679.338650] grsec: (miro:U:/) denied open of /sys/devices/system/cpu/online for reading by /usr/bin/pidof[pidof:28025] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-1st[uncenz-1st:28006] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 06:11:35 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c touch dump_170307_0611_g0n.pcap
Mar  7 06:11:35 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c dumpcap -i any -w dump_170307_0611_g0n.pcap
Mar  7 06:11:35 g0n kernel: [77679.436691] grsec: (root:U:/usr/bin/dumpcap) denied access to hidden file /proc/28053/net/psched by /usr/bin/dumpcap[dumpcap:28053] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-1st[uncenz-1st:28006] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 06:11:37 g0n kernel: [77681.034517] grsec: (miro:U:/) denied open of /sys/devices/system/cpu/online for reading by /usr/bin/ffmpeg[ffmpeg:28055] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-1st[uncenz-1st:28006] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 06:11:38 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:11:38 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:11:42 g0n kernel: [77685.975856] sky2 0000:06:00.0 eth1: Link is up at 100 Mbps, full duplex, flow control both
Mar  7 06:11:42 g0n kernel: [77685.975901] br0: port 1(eth1) entered blocking state
Mar  7 06:11:42 g0n kernel: [77685.975905] br0: port 1(eth1) entered forwarding state
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: carrier acquired
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: IAID 2e:ab:28:71
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: IAID conflicts with one assigned to br0
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: adding address fe80::30b7:84a9:5f50:6486
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: carrier acquired
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: IAID 2e:ab:28:71
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: IAID conflicts with one assigned to eth1
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: deleting address fe80::30b7:84a9:5f50:6486
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: adding address fe80::30b7:84a9:5f50:6486
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: soliciting an IPv6 router
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: soliciting an IPv6 router
Mar  7 06:11:42 g0n dhcpcd[3564]: eth1: soliciting a DHCP lease
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: rebinding lease of 192.168.1.4
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: NAK: from 192.168.1.1
Mar  7 06:11:42 g0n dhcpcd[3564]: br0: soliciting a DHCP lease
Mar  7 06:11:43 g0n dhcpcd[3564]: br0: Router Advertisement from fe80::1
Mar  7 06:11:43 g0n dhcpcd[3564]: br0: adding default route via fe80::1
Mar  7 06:11:43 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:11:43 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:11:43 g0n dhcpcd[3564]: br0: requesting DHCPv6 information
Mar  7 06:11:44 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:11:44 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:11:44 g0n dhcpcd[3564]: br0: offered 192.168.1.4 from 192.168.1.1
Mar  7 06:11:44 g0n dhcpcd[3564]: br0: probing address 192.168.1.4/24
Mar  7 06:11:47 g0n dhcpcd[3564]: eth1: probing for an IPv4LL address
Mar  7 06:11:49 g0n dhcpcd[3564]: br0: leased 192.168.1.4 for infinity
Mar  7 06:11:49 g0n dhcpcd[3564]: br0: adding route to 192.168.1.0/24
Mar  7 06:11:49 g0n dhcpcd[3564]: br0: adding default route via 192.168.1.1
Mar  7 06:11:49 g0n dhcpcd[3564]: virbr0: deleting default route
Mar  7 06:11:49 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:11:49 g0n dnsmasq[4320]: using nameserver 81.2.237.32#53
Mar  7 06:11:49 g0n dnsmasq[4320]: using nameserver 31.14.133.188#53
Mar  7 06:11:49 g0n dnsmasq[4320]: using nameserver 5.9.49.12#53
Mar  7 06:11:49 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:11:53 g0n dhcpcd[3564]: eth1: using IPv4LL address 169.254.217.174
Mar  7 06:11:53 g0n dhcpcd[3564]: eth1: adding route to 169.254.0.0/16
Mar  7 06:11:54 g0n kernel: [77698.035697] virbr0: port 3(vnet1) entered blocking state
Mar  7 06:11:54 g0n kernel: [77698.035702] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:11:54 g0n kernel: [77698.035843] device vnet1 entered promiscuous mode
Mar  7 06:11:54 g0n kernel: [77698.039504] virbr0: port 3(vnet1) entered blocking state
Mar  7 06:11:54 g0n kernel: [77698.039508] virbr0: port 3(vnet1) entered listening state
Mar  7 06:11:54 g0n dhcpcd[3564]: vnet1: waiting for carrier
Mar  7 06:11:54 g0n dhcpcd[3564]: vnet1: carrier acquired
Mar  7 06:11:54 g0n dhcpcd[3564]: vnet1: IAID 00:ba:4b:7e
Mar  7 06:11:54 g0n dhcpcd[3564]: vnet1: adding address fe80::d64a:e97e:f665:e3c3
Mar  7 06:11:54 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar  7 06:11:54 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar  7 06:11:54 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar  7 06:11:54 g0n kernel: [77698.420160] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 06:11:54 g0n dhcpcd[3564]: vnet1: soliciting an IPv6 router
Mar  7 06:11:54 g0n kernel: [77698.543599] kvm: zapping shadow pages for mmio generation wraparound
Mar  7 06:11:55 g0n dhcpcd[3564]: vnet1: soliciting a DHCP lease
Mar  7 06:11:56 g0n kernel: [77700.074354] virbr0: port 3(vnet1) entered learning state
Mar  7 06:11:56 g0n kernel: [77700.959474] kvm [28192]: vcpu0, guest rIP: 0xffffffff81052aa2 unhandled rdmsr: 0xc0010048
Mar  7 06:11:57 g0n kernel: [77701.275871] kvm: zapping shadow pages for mmio generation wraparound
Mar  7 06:11:58 g0n kernel: [77702.122405] virbr0: port 3(vnet1) entered forwarding state
Mar  7 06:11:58 g0n kernel: [77702.122447] virbr0: topology change detected, propagating
Mar  7 06:12:00 g0n dhcpcd[3564]: vnet1: probing for an IPv4LL address
Mar  7 06:12:05 g0n dhcpcd[3564]: vnet1: using IPv4LL address 169.254.142.79
Mar  7 06:12:05 g0n dhcpcd[3564]: vnet1: adding route to 169.254.0.0/16
Mar  7 06:12:07 g0n dhcpcd[3564]: vnet1: no IPv6 Routers available
Mar  7 06:12:10 g0n kernel: [77714.964719] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 06:12:18 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:ba:4b:7e
Mar  7 06:12:18 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.141 52:54:00:ba:4b:7e
Mar  7 06:12:18 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 06:12:18 g0n kernel: [77722.690745] grsec: (default:D:/) use of CAP_NET_RAW denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:12:18 g0n kernel: [77722.690849] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:12:25 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:ba:4b:7e
Mar  7 06:12:25 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.141 52:54:00:ba:4b:7e
Mar  7 06:12:25 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 06:12:25 g0n kernel: [77729.735770] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:12:33 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:ba:4b:7e
Mar  7 06:12:33 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.141 52:54:00:ba:4b:7e
Mar  7 06:12:33 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 06:12:33 g0n kernel: [77737.759403] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:12:42 g0n kernel: [77746.401053] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 06:12:45 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:ba:4b:7e
Mar  7 06:12:45 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.141 52:54:00:ba:4b:7e
Mar  7 06:12:45 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 06:12:45 g0n kernel: [77749.790392] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:12:52 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:ba:4b:7e
Mar  7 06:12:52 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.141 52:54:00:ba:4b:7e
Mar  7 06:12:52 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 06:12:52 g0n kernel: [77756.621175] grsec: (default:D:/) use of CAP_NET_RAW denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:12:52 g0n kernel: [77756.621284] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:13:07 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:ba:4b:7e
Mar  7 06:13:07 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.141 52:54:00:ba:4b:7e
Mar  7 06:13:07 g0n dnsmasq-dhcp[4320]: ARP-cache injection failed: Operation not permitted
Mar  7 06:13:07 g0n kernel: [77771.539524] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar  7 06:13:28 g0n dhcpcd[3564]: vnet1: carrier lost
Mar  7 06:13:28 g0n kernel: [77792.337880] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:13:28 g0n kernel: [77792.338062] device vnet1 left promiscuous mode
Mar  7 06:13:28 g0n kernel: [77792.338065] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:13:28 g0n dhcpcd[3564]: vnet1: deleting address fe80::d64a:e97e:f665:e3c3
Mar  7 06:13:28 g0n dhcpcd[3564]: vnet1: deleting route to 169.254.0.0/16
Mar  7 06:13:28 g0n dhcpcd[3564]: vnet1: removing interface
Mar  7 06:13:28 g0n kernel: [77792.944960] virbr0: port 3(vnet1) entered blocking state
Mar  7 06:13:28 g0n kernel: [77792.944966] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:13:28 g0n kernel: [77792.945138] device vnet1 entered promiscuous mode
Mar  7 06:13:28 g0n kernel: [77792.952023] virbr0: port 3(vnet1) entered blocking state
Mar  7 06:13:28 g0n kernel: [77792.952029] virbr0: port 3(vnet1) entered listening state
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: waiting for carrier
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: new hardware address: fe:54:00:ba:4b:7e
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: carrier acquired
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: IAID 00:ba:4b:7e
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: adding address fe80::d64a:e97e:f665:e3c3
Mar  7 06:13:29 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar  7 06:13:29 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar  7 06:13:29 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar  7 06:13:29 g0n kernel: [77793.078876] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=45087 PROTO=2
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: soliciting an IPv6 router
Mar  7 06:13:29 g0n dhcpcd[3564]: vnet1: soliciting a DHCP lease
Mar  7 06:13:30 g0n kernel: [77794.078671] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=45102 PROTO=2
Mar  7 06:13:31 g0n kernel: [77794.986885] virbr0: port 3(vnet1) entered learning state
Mar  7 06:13:31 g0n kernel: [77795.590533] sky2 0000:06:00.0 eth1: Link is down
Mar  7 06:13:31 g0n dhcpcd[3564]: eth1: carrier lost
Mar  7 06:13:31 g0n kernel: [77795.592954] br0: port 1(eth1) entered disabled state
Mar  7 06:13:31 g0n dhcpcd[3564]: eth1: deleting route to 169.254.0.0/16
Mar  7 06:13:32 g0n dhcpcd[3564]: br0: carrier lost
Mar  7 06:13:32 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:13:32 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:13:32 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:13:32 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:13:32 g0n dhcpcd[3564]: br0: deleting default route via fe80::1
Mar  7 06:13:32 g0n dnsmasq[4320]: no servers found in /etc/resolv.conf, will retry
Mar  7 06:13:32 g0n dhcpcd[3564]: br0: deleting address fe80::30b7:84a9:5f50:6486
Mar  7 06:13:32 g0n dhcpcd[3564]: br0: deleting default route via 192.168.1.1
Mar  7 06:13:32 g0n dhcpcd[3564]: br0: deleting route to 192.168.1.0/24
Mar  7 06:13:32 g0n dhcpcd[3564]: virbr0: adding default route
Mar  7 06:13:33 g0n kernel: [77797.034836] virbr0: port 3(vnet1) entered forwarding state
Mar  7 06:13:33 g0n kernel: [77797.034848] virbr0: topology change detected, propagating
Mar  7 06:13:34 g0n dhcpcd[3564]: vnet1: probing for an IPv4LL address
Mar  7 06:13:37 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:13:37 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:13:37 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill 28053 28055
Mar  7 06:13:39 g0n dhcpcd[3564]: vnet1: using IPv4LL address 169.254.142.79
Mar  7 06:13:39 g0n dhcpcd[3564]: vnet1: adding route to 169.254.0.0/16
Mar  7 06:13:39 g0n dhcpcd[3564]: virbr0: deleting default route
Mar  7 06:13:43 g0n dhcpcd[3564]: vnet1: no IPv6 Routers available
Mar  7 06:13:54 g0n /usr/sbin/gpm[3912]: *** info [daemon/processrequest.c(42)]:
Mar  7 06:13:54 g0n /usr/sbin/gpm[3912]: Request on 6 (console 0)
Mar  7 06:14:14 g0n kernel: [77838.353133] grsec: (admin:S:/) shutdown auth failure for /sbin/gradm[gradm:28518] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4709] uid/euid:0/0 gid/egid:0/0
Mar  7 06:14:19 g0n kernel: [77843.594548] grsec: shutdown auth success for /sbin/gradm[gradm:28523] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4709] uid/euid:0/0 gid/egid:0/0
Mar  7 06:14:31 g0n dhcpcd[3564]: vnet1: carrier lost
Mar  7 06:14:31 g0n kernel: [77855.239318] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:14:31 g0n kernel: [77855.239535] device vnet1 left promiscuous mode
Mar  7 06:14:31 g0n kernel: [77855.239538] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:14:31 g0n dhcpcd[3564]: vnet1: deleting address fe80::d64a:e97e:f665:e3c3
Mar  7 06:14:31 g0n dhcpcd[3564]: virbr0: adding default route
Mar  7 06:14:31 g0n dhcpcd[3564]: vnet1: deleting route to 169.254.0.0/16
Mar  7 06:14:31 g0n dhcpcd[3564]: vnet1: removing interface

and of course (should open in its own window:
https://www.croatiafidelis.hr/foss/cap/ ... 1_g0n.webm
and the trace that you need to download:
https://www.croatiafidelis.hr/foss/cap/ ... 1_g0n.pcap
( also some, but that was in the host, SSL conversations:
https://www.croatiafidelis.hr/foss/cap/ ... OGFILE.txt
that I give only for completeness )

And the second run, with grsecurity RBAC disabled, the connection to the internet in the guest was successfully accomplished:

messages_170307_0614_g0n
Code: Select all
Mar  7 06:14:38 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c gradm -S
Mar  7 06:14:38 g0n kernel: [77862.098510] grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 65536 for /usr/bin/sox[play:28577] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-1st[uncenz-1st:28570] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 06:14:38 g0n kernel: [77862.100401] grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 65536 for /usr/bin/sox[play:28577] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-1st[uncenz-1st:28570] uid/euid:1000/1000 gid/egid:1000/1000
Mar  7 06:14:45 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:14:46 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c touch dump_170307_0614_g0n.pcap
Mar  7 06:14:46 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c dumpcap -i any -w dump_170307_0614_g0n.pcap
Mar  7 06:14:49 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:14:49 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:14:50 g0n dhcpcd[3564]: eth1: carrier acquired
Mar  7 06:14:50 g0n kernel: [77874.899853] sky2 0000:06:00.0 eth1: Link is up at 100 Mbps, full duplex, flow control both
Mar  7 06:14:50 g0n kernel: [77874.899886] br0: port 1(eth1) entered blocking state
Mar  7 06:14:50 g0n kernel: [77874.899890] br0: port 1(eth1) entered forwarding state
Mar  7 06:14:50 g0n dhcpcd[3564]: eth1: IAID 2e:ab:28:71
Mar  7 06:14:50 g0n dhcpcd[3564]: eth1: IAID conflicts with one assigned to br0
Mar  7 06:14:50 g0n dhcpcd[3564]: eth1: adding address fe80::30b7:84a9:5f50:6486
Mar  7 06:14:50 g0n dhcpcd[3564]: br0: carrier acquired
Mar  7 06:14:50 g0n dhcpcd[3564]: br0: IAID 2e:ab:28:71
Mar  7 06:14:50 g0n dhcpcd[3564]: br0: IAID conflicts with one assigned to eth1
Mar  7 06:14:50 g0n dhcpcd[3564]: eth1: deleting address fe80::30b7:84a9:5f50:6486
Mar  7 06:14:50 g0n dhcpcd[3564]: br0: adding address fe80::30b7:84a9:5f50:6486
Mar  7 06:14:51 g0n dhcpcd[3564]: eth1: soliciting a DHCP lease
Mar  7 06:14:51 g0n dhcpcd[3564]: br0: soliciting an IPv6 router
Mar  7 06:14:51 g0n dhcpcd[3564]: eth1: soliciting an IPv6 router
Mar  7 06:14:51 g0n dhcpcd[3564]: br0: rebinding lease of 192.168.1.4
Mar  7 06:14:52 g0n dhcpcd[3564]: br0: Router Advertisement from fe80::1
Mar  7 06:14:52 g0n dhcpcd[3564]: br0: adding default route via fe80::1
Mar  7 06:14:52 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:14:52 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:14:52 g0n dhcpcd[3564]: br0: requesting DHCPv6 information
Mar  7 06:14:52 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:14:52 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:14:56 g0n dhcpcd[3564]: eth1: probing for an IPv4LL address
Mar  7 06:14:56 g0n dhcpcd[3564]: br0: probing for an IPv4LL address
Mar  7 06:14:56 g0n dhcpcd[3564]: br0: DHCP lease expired
Mar  7 06:14:56 g0n dhcpcd[3564]: br0: soliciting a DHCP lease
Mar  7 06:14:57 g0n dhcpcd[3564]: br0: offered 192.168.1.4 from 192.168.1.1
Mar  7 06:14:57 g0n dhcpcd[3564]: br0: probing address 192.168.1.4/24
Mar  7 06:14:59 g0n kernel: [77883.724338] virbr0: port 3(vnet1) entered blocking state
Mar  7 06:14:59 g0n kernel: [77883.724342] virbr0: port 3(vnet1) entered disabled state
Mar  7 06:14:59 g0n kernel: [77883.724458] device vnet1 entered promiscuous mode
Mar  7 06:14:59 g0n kernel: [77883.731464] virbr0: port 3(vnet1) entered blocking state
Mar  7 06:14:59 g0n kernel: [77883.731469] virbr0: port 3(vnet1) entered listening state
Mar  7 06:14:59 g0n dhcpcd[3564]: vnet1: waiting for carrier
Mar  7 06:14:59 g0n dhcpcd[3564]: vnet1: new hardware address: fe:54:00:68:a5:92
Mar  7 06:14:59 g0n dhcpcd[3564]: vnet1: carrier acquired
Mar  7 06:14:59 g0n dhcpcd[3564]: vnet1: IAID 00:68:a5:92
Mar  7 06:14:59 g0n dhcpcd[3564]: vnet1: adding address fe80::3117:ab62:e26:65ec
Mar  7 06:14:59 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar  7 06:14:59 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar  7 06:14:59 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar  7 06:15:00 g0n kernel: [77884.271772] kvm: zapping shadow pages for mmio generation wraparound
Mar  7 06:15:00 g0n dhcpcd[3564]: vnet1: soliciting a DHCP lease
Mar  7 06:15:00 g0n dhcpcd[3564]: vnet1: soliciting an IPv6 router
Mar  7 06:15:01 g0n dhcpcd[3564]: br0: using IPv4LL address 169.254.217.174
Mar  7 06:15:01 g0n dhcpcd[3564]: br0: adding route to 169.254.0.0/16
Mar  7 06:15:01 g0n dhcpcd[3564]: virbr0: deleting default route
Mar  7 06:15:01 g0n dhcpcd[3564]: eth1: using IPv4LL address 169.254.217.174
Mar  7 06:15:01 g0n dhcpcd[3564]: eth1: adding route to 169.254.0.0/16
Mar  7 06:15:01 g0n dhcpcd[3564]: br0: adding default route
Mar  7 06:15:01 g0n kernel: [77885.740264] virbr0: port 3(vnet1) entered learning state
Mar  7 06:15:02 g0n dhcpcd[3564]: br0: leased 192.168.1.4 for infinity
Mar  7 06:15:02 g0n dhcpcd[3564]: br0: adding route to 192.168.1.0/24
Mar  7 06:15:02 g0n dhcpcd[3564]: br0: changing default route via 192.168.1.1
Mar  7 06:15:02 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:15:02 g0n dnsmasq[4320]: using nameserver 81.2.237.32#53
Mar  7 06:15:02 g0n dnsmasq[4320]: using nameserver 31.14.133.188#53
Mar  7 06:15:02 g0n dnsmasq[4320]: using nameserver 5.9.49.12#53
Mar  7 06:15:02 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:15:02 g0n dhcpcd[3564]: br0: deleting route to 169.254.0.0/16
Mar  7 06:15:02 g0n kernel: [77886.557356] kvm [28739]: vcpu0, guest rIP: 0xffffffff81052aa2 unhandled rdmsr: 0xc0010048
Mar  7 06:15:02 g0n kernel: [77886.851834] kvm: zapping shadow pages for mmio generation wraparound
Mar  7 06:15:03 g0n kernel: [77887.469857] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 06:15:03 g0n kernel: [77887.787331] virbr0: port 3(vnet1) entered forwarding state
Mar  7 06:15:03 g0n kernel: [77887.787377] virbr0: topology change detected, propagating
Mar  7 06:15:05 g0n dhcpcd[3564]: vnet1: probing for an IPv4LL address
Mar  7 06:15:10 g0n dhcpcd[3564]: vnet1: using IPv4LL address 169.254.70.220
Mar  7 06:15:10 g0n dhcpcd[3564]: vnet1: adding route to 169.254.0.0/16
Mar  7 06:15:13 g0n dhcpcd[3564]: vnet1: no IPv6 Routers available
Mar  7 06:15:19 g0n kernel: [77903.948246] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 06:15:23 g0n kernel: [77907.073660] mrfw_pingIN= OUT=virbr0 SRC=192.168.122.1 DST=192.168.122.79 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=39660 DF PROTO=ICMP TYPE=8 CODE=0 ID=63007 SEQ=0
Mar  7 06:15:26 g0n dnsmasq-dhcp[4320]: DHCPDISCOVER(virbr0) 52:54:00:68:a5:92
Mar  7 06:15:26 g0n dnsmasq-dhcp[4320]: DHCPOFFER(virbr0) 192.168.122.79 52:54:00:68:a5:92
Mar  7 06:15:26 g0n dnsmasq-dhcp[4320]: DHCPREQUEST(virbr0) 192.168.122.79 52:54:00:68:a5:92
Mar  7 06:15:26 g0n dnsmasq-dhcp[4320]: DHCPACK(virbr0) 192.168.122.79 52:54:00:68:a5:92 devuan
Mar  7 06:15:35 g0n kernel: [77919.014647] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=45139 PROTO=2
Mar  7 06:15:52 g0n kernel: [77936.332349] mrfw_dropIN=br0 OUT= PHYSIN=eth1 MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar  7 06:16:51 g0n kernel: [77995.863650] sky2 0000:06:00.0 eth1: Link is down
Mar  7 06:16:51 g0n dhcpcd[3564]: eth1: carrier lost
Mar  7 06:16:51 g0n kernel: [77995.865113] br0: port 1(eth1) entered disabled state
Mar  7 06:16:51 g0n dhcpcd[3564]: eth1: deleting route to 169.254.0.0/16
Mar  7 06:16:52 g0n dhcpcd[3564]: br0: carrier lost
Mar  7 06:16:52 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:16:52 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:16:53 g0n dnsmasq[4320]: reading /etc/resolv.conf
Mar  7 06:16:53 g0n dnsmasq[4320]: using nameserver fe80::1%br0#53
Mar  7 06:16:53 g0n dhcpcd[3564]: br0: deleting default route via fe80::1
Mar  7 06:16:53 g0n dnsmasq[4320]: no servers found in /etc/resolv.conf, will retry
Mar  7 06:16:53 g0n dhcpcd[3564]: br0: deleting address fe80::30b7:84a9:5f50:6486
Mar  7 06:16:53 g0n dhcpcd[3564]: br0: deleting default route via 192.168.1.1
Mar  7 06:16:53 g0n dhcpcd[3564]: br0: deleting route to 192.168.1.0/24
Mar  7 06:16:53 g0n dhcpcd[3564]: virbr0: adding default route
Mar  7 06:16:56 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:16:56 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar  7 06:16:56 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill 28615 28617

Try and open the screencast its own window:
https://www.croatiafidelis.hr/foss/cap/ ... 4_g0n.webm
and the trace that you need to download:
https://www.croatiafidelis.hr/foss/cap/ ... 4_g0n.pcap
( also some, but that was in the host, SSL conversations:
https://www.croatiafidelis.hr/foss/cap/ ... OGFILE.txt
that I give only for completeness )

What is it that is missing to get Libvirt work under grsecurity RBAC policy enabled?
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Tue Mar 07, 2017 9:54 am

I have rearranged the syslog messages for the last study, and looking them up, either in two windows of an editor, or even in two windows (or tabs) of a browser, in such way that you can see where the runs depart from each other, maybe there's a clue to what is the missing touch.
(
Notice that I only added space in 0611 and only rearranged lines --a few critical delays there to be noticed!-- in 0614.
If you look them up in a browser, you need to disable line wrapping, to get the two windows to correlate.
Lots of lines, in the first some 3/4 of the longer --the failing run, the earlier one, the 0611-- text can be, by arranging the window/tab, set to be in same place and to correlate fine with the later run, the RBAC-not-enabled run. And then it's a the suspect that fails the run is easier to spot.
)

https://www.croatiafidelis.hr/foss/cap/ ... 0n_cmp.txt
and
https://www.croatiafidelis.hr/foss/cap/ ... 0n_cmp.txt

It's the dhcpcd that needs to get some learning by mother grsec, I'm betting on it! (Ah, maybe I shouldn't be, I have lost a few bets in this topic so far...)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Tue Mar 07, 2017 3:48 pm

I did this.
diff -u grsec_170306_g0n_01 grsec_170307_g0n_01
Code: Select all
--- grsec_170306_g0n_01   2017-03-06 14:29:56.520265937 +0100
+++ grsec_170307_g0n_01   2017-03-07 16:02:55.699068363 +0100
@@ -1962,40 +1962,8 @@
    connect   disabled
 
 # Role: root
-subject /lib64/dhcpcd/dhcpcd-run-hooks o
+subject /lib64/dhcpcd/dhcpcd-run-hooks ol
    /            
-   /bin            x
-   /boot            h
-   /dev            
-   /dev/grsec         h
-   /dev/kmem         h
-   /dev/log         h
-   /dev/mem         h
-   /dev/null         w
-   /dev/port         h
-   /dev/tty         rw
-   /etc            
-   /etc/grsec         h
-   /etc/gshadow         h
-   /etc/gshadow-         h
-   /etc/ld.so.cache      r
-   /etc/nsswitch.conf      r
-   /etc/passwd         r
-   /etc/resolv.conf      w
-   /etc/shadow         h
-   /etc/shadow-         h
-   /etc/ssh         h
-   /lib/modules         h
-   /lib64            rx
-   /lib64/modules         h
-   /proc            h
-   /proc/meminfo         r
-   /run            
-   /run/dhcpcd         wc
-   /sys            h
-   /usr            h
-   /usr/bin/cmp         x
-   /var/log         h
    -CAP_ALL
    bind   disabled
    connect   disabled
@@ -2059,33 +2027,10 @@
    sock_allow_family unix inet
 
 # Role: root
-subject /sbin/dhcpcd o
+subject /sbin/dhcpcd ol
    /            h
-   /etc            h
-   /etc/dhcpcd.conf      r
-   /lib64            h
-   /lib64/dhcpcd/dhcpcd-run-hooks   x
-   /proc            rw
-   /proc/bus         h
-   /proc/kallsyms         h
-   /proc/kcore         h
-   /proc/modules         h
-   /proc/slabinfo         h
-   /run            h
-   /run/dhcpcd*         wd
-   /sbin            h
-   /sbin/dhcpcd         rx
-   /var            h
-   /var/lib
-   /var/lib/dhcpcd*      rwcd
-   -CAP_ALL
-   +CAP_NET_BIND_SERVICE
-   +CAP_NET_ADMIN
-   +CAP_NET_RAW
-   +CAP_SYS_MODULE
-   bind 0.0.0.0/32:0 dgram ip
+   bind   disabled
    connect   disabled
-   sock_allow_family ipv6 netlink packet
 
 # Role: root
 subject /sbin/mount.nfs o


But no, it didn't help. More or less the same issue.

So:
Code: Select all
# mv -iv grsec_170307_g0n_01 grsec_170307_g0n_01_abandoned


I think I need to update my system. Over 10 days since last update. Too long... Will be back to solve this issue in about one day, after cloning the system clean from Air-Gapped, and re-doing the successful part of the procedures that I've done so far.
(
Also because I had an issue, that I might look into:
Code: Select all
6a87d2247b160cd43c8c64255d4f6ac81c5c885f175678d3880b3be9b4583077  dump_170307_1623_g0n.pcap

)

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 8:28 am

For the fourth time, almost all over.
First, the programs installed.
The command, and the output:
Code: Select all
# for i in libvirt qemu spice spice-gtk xf86-video-qxl virt-manager virt-viewer ; do echo "[b]emerge -pv $i[/b]"  >> TMP ; echo "[code]"  >> TMP ; emerge -pv $i  >> TMP ; echo "[/code]"  >> TMP ; echo >> TMP ; done ;


emerge -pv libvirt
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  ... done!
[ebuild   R    ] app-emulation/libvirt-3.1.0:0/3.1.0::gentoo  USE="audit caps libvirtd macvtap nls qemu sasl vepa virt-network -apparmor -dbus -firewalld -fuse -glusterfs -iscsi -libssh -lvm -lxc -nfs -numa -openvz -parted -pcap -phyp -policykit -rbd (-selinux) -udev -uml -virtualbox -wireshark-plugins -xen -zeroconf -zfs" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


emerge -pv qemu
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  ..... done!
[ebuild   R    ] app-emulation/qemu-2.8.0-r6::gentoo  USE="aio alsa bzip2 caps curl fdt filecaps gnutls gtk gtk2 jpeg ncurses nls opengl pin-upstream-blobs png python sasl sdl seccomp spice threads usb usbredir vhost-net vnc xattr -accessibility -bluetooth -debug -glusterfs -infiniband -iscsi -lzo -nfs -numa -pulseaudio -rbd -sdl2 (-selinux) -smartcard -snappy -ssh -static -static-user -systemtap -tci {-test} -vde -virgl -virtfs -vte -xen -xfs" LINGUAS="-bg -de_DE -fr_FR -hu -it -tr -zh_CN" PYTHON_TARGETS="python2_7" QEMU_SOFTMMU_TARGETS="arm i386 x86_64 -aarch64 -alpha -cris -lm32 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -moxie -or32 -ppc -ppc64 -ppcemb -s390x -sh4 -sh4eb -sparc -sparc64 -tricore -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="arm i386 x86_64 -aarch64 -alpha -armeb -cris -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -mipsn32 -mipsn32el -or32 -ppc -ppc64 -ppc64abi32 -ppc64le -s390x -sh4 -sh4eb -sparc -sparc32plus -sparc64 -tilegx" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


emerge -pv spice
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  .... done!
[ebuild   R    ] app-emulation/spice-0.13.3::gentoo  USE="gstreamer sasl -libressl -lz4 -smartcard -static-libs" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


emerge -pv spice-gtk
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  .... done!
[ebuild   R    ] net-misc/spice-gtk-0.31-r1::miro  USE="gstreamer gtk2 sasl -dbus -introspection -libressl -lz4 -policykit -pulseaudio -python -smartcard -static-libs -usbredir -vala -webdav" PYTHON_SINGLE_TARGET="python3_4 -python2_7" PYTHON_TARGETS="python2_7 python3_4" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


emerge -pv xf86-video-qxl
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  ... done!
[ebuild   R    ] x11-drivers/xf86-video-qxl-0.1.5::gentoo  USE="xspice" PYTHON_TARGETS="python2_7" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


emerge -pv virt-manager
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  ... done!
[ebuild   R    ] app-emulation/virt-manager-1.4.0-r2::gentoo  USE="sasl -debug -gnome-keyring -gtk -policykit" LINGUAS="-as -bg -bn_IN -bs -ca -cmn -cs -da -de -en_GB -es -fi -fr -gu -hi -hr -hu -is -it -ja -kn -ko -ml -mr -ms -nb -nl -or -pa -pl -pt -pt_BR -ro -ru -sk -sr -sr@latin -sv -ta -te -tr -uk -vi -zh_CN -zh_TW" PYTHON_TARGETS="python2_7" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


emerge -pv virt-viewer
Code: Select all

These are the packages that would be merged, in order:

Calculating dependencies  . ... done!
[ebuild   R    ] app-emulation/virt-viewer-3.1-r2::miro  USE="sasl spice vnc -debug" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


I'm aware I have issues with spice, and I'll deal with it later, I hope. But for qemu and virt-viewer the "vnc" flag is enabled, and that should do for most libvirt running (not for Whonix, but that is another battle to fight, the sans-dbus one).

And, in a separate post, for clarity, I'll post all the relevant parts of my current /etc/grsec/policy.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 8:36 am

I give you a huge part of my /etc/grsec/policy now, anything suspected to be libvirt, and the errors from almost three days ago, related.

Code: Select all
# ls -l grsec_170310_g0n_00*
-rw------- 1 root root 171317 2017-03-08 18:46 grsec_170310_g0n_00
-rw------- 1 root root  12916 2017-03-10 13:02 grsec_170310_g0n_00_virt
#


Huge chunks cut out are marked with the number of lines removed (fewer). Small number of lines, one to ten or so, are marked with just "...". I removed all those because I assessed they are of no importance to the issue we're dealing with here.

Below it is all in one piece, without comments. In the next post, I'll try and analyze it for solution.

# cat grsec_170310_g0n_00_virt
Code: Select all
...[ 323 fewer lines ]...

role admin sA
subject / rvka
   / rwcdmlxi

role default G
role_transitions admin shutdown
subject /
   /      r
   /opt      rx
   /home      rwxcd
   /mnt      rw
   /dev
   /dev/urandom   r
   /dev/random   r
   /dev/zero   rw
   /dev/input   rw
   /dev/psaux   rw
   /dev/null   rw
   /dev/tty?   rw
   /dev/console   rw
   /dev/tty   rw
   /dev/pts   rw
   /dev/ptmx   rw
   /dev/dsp   rw
   /dev/mixer   rw
   /dev/initctl   rw
   /dev/fd0   r
   /dev/cdrom   r
   /dev/sr0   r
   /bin      rx
   /sbin      rx
   /lib      rx
   /lib32      rx
   /libx32      rx
   /lib64      rx
   /usr      rx
# compilation of kernel code should be done within the admin role   
   /usr/src   h
   /etc      rx
   /proc      rwx
   /proc/sys   r
   /sys      h
   /root      r
   /run      r
   /tmp      rwcd
   /var      rwxcd
   /var/tmp   rwcd
   /var/log   r
# hide the kernel images and modules
   $grsec_denied

# if sshd needs to be restarted, it can be done through the admin role
# restarting sshd should be followed immediately by a gradm -u
   /usr/sbin/sshd
   
   -CAP_KILL
   -CAP_SYS_TTY_CONFIG
   -CAP_LINUX_IMMUTABLE
   -CAP_NET_RAW
   -CAP_MKNOD
   -CAP_SYS_ADMIN
   -CAP_SYS_RAWIO
   -CAP_SYS_MODULE
   -CAP_SYS_PTRACE
   -CAP_NET_ADMIN
   -CAP_NET_BIND_SERVICE
   -CAP_NET_RAW
   -CAP_SYS_CHROOT
   -CAP_SYS_BOOT
   -CAP_SETFCAP
   -CAP_SYSLOG

...[ 108 fewer lines ]...

subject /sbin/init
   /var/log/wtmp w

...[ 117 fewer lines ]...

role root uG
role_transitions admin shutdown
...
role_allow_ip   0.0.0.0/32
user_transition_allow apache miro tcpdump qemu
group_transition_allow apache miro tcpdump kvm libvirt qemu
# Role: root
subject /
   /               h
   ...
   /bin            rx
   /sbin            rx
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/tty         rw
   /dev/urandom         r
   /etc            rx
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /export            h
   /export/data         
   /export/home         
   /home            h
   /home/miro         rx
   /lib64            rx
   /lib64/firmware         h
   /lib64/firmware/radeon      
   /lib64/modules         h
   /mnt            r
   /mnt            r
   ...
   /opt            
   /opt/icedtea-bin-*/bin/java   x
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /root         rxcdl
   /run            rd
   /run/dhcpcd         r
   /sys            
   /sys/fs/cgroup         
   /tmp            rwcd
   /usr            
   /usr/bin         rx
   /usr/include         r
   /usr/lib64         rx
   /usr/libexec         rx
   /usr/local         r
   /usr/local/bin         rx
   /usr/sbin         rx
   /usr/share         r
   /usr/src         rx
   /usr/x86_64-pc-linux-gnu
   /usr/x86_64-pc-linux-gnu/binutils-bin   x
   /usr/x86_64-pc-linux-gnu/gcc-bin   x
   /var            
   /var/lib         r
   /var/log         r
   /var/run         rd
   /var/spool         
   /var/spool/postfix      r
   -CAP_ALL
   +CAP_CHOWN
   +CAP_DAC_OVERRIDE
   +CAP_DAC_READ_SEARCH
   +CAP_FOWNER
   +CAP_KILL
   bind   disabled
   connect   disabled

# Role: root
subject /bin/bash o
   /               
   ...
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/tty         rw
   /etc            r
   /etc/X11            r
   /etc/X11/chooser.sh         x
   /etc/bash         h
   /etc/bash/bash_logout      r
   /etc/bash/bashrc      r
   /etc/bash/bashrc.d      
   /etc/cron.hourly      
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/init.d            rwx
   /etc/java-config-2      h
   /etc/java-config-2/current-system-vm   rx
   /etc/mactab         w
   /etc/postfix         wc
   /etc/profile.d         
   /etc/profile.d/java-config-2.sh   r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /etc/terminfo         
   /etc/terminfo/l/linux      r
   /etc/terminfo/r/rxvt-unicode   r
   /export            rwxcd
   /home            
   /home/miro         rw
   /lib64            rx
   /lib64/modules         h
   /mnt            
   /opt            
   /opt/cin         x
   /opt/icedtea-bin-*   rx
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         
   /proc/sys/kernel      
   /proc/sys/kernel/grsecurity      w
#   /proc/sys/kernel/grsecurity/audit_chdir   w
#   /proc/sys/kernel/grsecurity/exec_logging   w
   /proc/sys/net/netfilter      w
#   /proc/sys/net/netfilter/nf_conntrack_timestamp   w
   /root            rwcdl
   /run            r
   /run/apache2.pid   d
   /run/cgisock*      d
   /sbin            x
   /sys            h
   /tmp            rwcdl
   /usr            
   /usr/bin         x
   /usr/bin/xkbcomp   rx
   /usr/lib64         rx
   /usr/local         r
   /usr/local/bin      rx
   /usr/sbin         x
   /usr/sbin/sendmail   rx
   /usr/sbin/tcpdump   x
   /usr/share         h
   /usr/share/info      r
   /usr/share/locale      r
   /usr/share/terminfo      r
   /usr/src         rwxc
   /usr/x86_64-pc-linux-gnu
   /usr/x86_64-pc-linux-gnu/binutils-bin   x
   /usr/x86_64-pc-linux-gnu/gcc-bin   x
   /var            
   /var/lib         
   /var/lib/clamav         
   /var/lib/portage      
   /var/spool            rwcd
   -CAP_ALL
   +CAP_CHOWN
   +CAP_DAC_OVERRIDE
   +CAP_DAC_READ_SEARCH
   +CAP_FOWNER
   +CAP_KILL
   +CAP_SYS_ADMIN
   bind   disabled
   connect   disabled
   sock_allow_family all

...[ 1075 fewer lines ]...

# Role: root
subject /sbin/init o
   /            h
   /bin
   /bin/login         x
   /dev            h
   /dev/console         rw
   /dev/initctl         rw
   /dev/log         rw
   /run            h
   /run/utmp         rw
   /sbin            h
   /sbin/agetty         x
   /usr
   /usr/bin
   /usr/bin/gpg-agent      rx
   /usr/sbin/conntrackd   r
   /var            h
   /var/log/wtmp         w
   /var/lib/dhcpcd         w
   -CAP_ALL
   +CAP_MKNOD
   bind   disabled
   connect   disabled

...[ 137 fewer lines ]...

# Role: root
subject /sbin/dhcpcd o
   /            h
   /etc            h
   /etc/dhcpcd.conf      r
   /lib64            h
   /lib64/dhcpcd/dhcpcd-run-hooks   x
   /proc            rw
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /run            h
   /run/dhcpcd*         wd
   /sbin            h
   /sbin/dhcpcd         rx
   /var            h
   /var/lib
   /var/lib/dhcpcd*      rwcd
   -CAP_ALL
   +CAP_NET_BIND_SERVICE
   +CAP_NET_ADMIN
   +CAP_NET_RAW
   +CAP_SYS_MODULE
   bind 0.0.0.0/32:0 dgram ip
   connect   disabled
   sock_allow_family ipv6 netlink packet

...[ 1144 fewer lines ]...

# Role: root
subject /usr/bin/virsh ol
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   bind   disabled
   connect   disabled

# Role: root
subject /usr/bin/virt-install oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/bin/virt-viewer oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 481 fewer lines ]...

# Role: root
subject /usr/libexec/libvirt-guests.sh oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/libexec/libvirt_iohelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/libexec/libvirt_leaseshelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 44 fewer lines ]...

# Role: root
subject /usr/libexec/qemu-bridge-helper ol
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 81 fewer lines ]...

# Role: root
subject /usr/sbin/libvirtd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/sbin/virtlockd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/sbin/virtlogd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 808 fewer lines ]...

role kvm gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

role libvirt gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

...[ 98 fewer lines ]...

role qemu ul
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

role qemu gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

...[ 34 fewer lines ]...

role miro u
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
role_allow_ip   0.0.0.0/32
# Role: miro
subject /
   /               h
   ...
   /bin            rx
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/kvm         r
   /dev/log         h
   /dev/mapper         h
   /dev/mapper/Msy         
   /dev/mem         h
   /dev/net         r
   /dev/net/tun      rwx
   /dev/null         rw
   /dev/port         h
   /dev/ptmx         rw
   /dev/pts         rw
   /dev/snd         rw
   /dev/snd         rw
   /dev/sr*         rw
   /dev/tty         rw
   /dev/tty?         rw
   /dev/urandom         r
   /dev/v4l         h
   /dev/v4l/video0         rw
   /dev/video0         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /export            h
   /export/data         
   /export/home         
   /home            
   /home/miro         rwxcdl
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   ...
   /opt            
   /opt/icedtea-bin-*   rx
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /run            
   /run/utmp         r
   /sbin            h
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            
   /sys/fs/cgroup         
   /tmp            rwcd
   /usr            
   /usr/bin         rx
   /usr/lib64         rx
   /usr/libexec         rx
   /usr/local         
   /usr/local/bin         rx
   /usr/sbin         h
   /usr/sbin/sendmail      rx
   /usr/sbin/tcpdump      x
   /usr/share         r
   /usr/share/locale      r
   /usr/share/doc         r
   /usr/src         h
   /usr/x86_64-pc-linux-gnu   x
   /var            
   /var/cache         h
   /var/cache/fontconfig      r
   /var/lib         h
   /var/lib/lurker         rwcdl
   /var/lib/nfs/rpc_pipefs      
   /var/log         h
   /var/www
   /var/www/localhost/htdocs      rwcdl
   /var/www/lurker*      rwcdl
   -CAP_ALL
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   disabled
   sock_allow_family unix inet

# Role: miro
subject /bin/bash o
   /               
   ...
   /export            rwxcd
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/kvm         r
   /dev/log         h
   /dev/mem         h
   /dev/net         r
   /dev/net/tun      rwx
   /dev/null         rw
   /dev/port         h
   /dev/sr0         r
   /dev/tty         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home
   /home/miro         rwxcdl
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   ...
   /opt            
   /opt/cin         x
   /opt/icedtea-bin-*   rx
   /proc            h
   /proc/meminfo         r
   /sbin            h
   /sbin/conntrack      x      
   /sbin/ldconfig      x
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            h
   /tmp            rwcd
   /usr            
   /usr/bin         x
   /usr/bin/java      rx
   /usr/bin/mplayer   rx
   /usr/bin/mpv      rx
   /usr/bin/qemu-system-x86_64   rx
   /usr/bin/ssh      rx
   /usr/bin/xkbcomp   rx
   /usr/bin/urxvt         rx
   /usr/bin/tzap         rx
   /usr/lib64         rx
   /usr/libexec      rx
   /usr/local         
   /usr/local/bin         rwxc
   /usr/sbin         h
   /usr/sbin/sendmail      rx
   /usr/sbin/tcpdump      x
   /usr/share         h
   /usr/share/virt-manager         x
   /usr/share/cvs/contrib/rcs2log
   /usr/share/doc         r
   /usr/share/info      r
   /usr/share/locale      r
   /usr/share/terminfo      r
   /usr/src         rwxc
   # needed by youtube-dl
   /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/objdump   x
   /var            
   /var/lib
   /var/lib/lurker         rwcdl
   /var/log         h
   /var/tmp         rwcd
   /var/www            
   /var/www/lurker*         rwcd
   /var/www/localhost
   /var/www/localhost/htdocs         rwcd
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family all

...[ 2108 fewer lines  ]...

# Role: miro
subject /usr/bin/python2.7 ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 60 fewer lines ]...

# Role: miro
subject /usr/bin/qemu-system-x86_64 ol
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/libvirt-guests.sh oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/libvirt_iohelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/libvirt_leaseshelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/qemu-bridge-helper ol
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 573 fewer lines ]...

# Role: miro
subject /usr/bin/virsh ol
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-install oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-viewer oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 895 fewer lines ]...

# Role: miro
subject /usr/sbin/libvirtd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/sbin/virtlockd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/sbin/virtlogd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 60 fewer lines ]...

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 10:34 am

The lines that still are a source of some bewilderment to me are those that say how... (repasting one of the last entries from the post three days --not "about one day", but three days-- ago, or around there).
Code: Select all
Mar  7 06:13:07 g0n kernel: [77771.539524] grsec: (default:D:/) use of CAP_NET_ADMIN denied for /usr/sbin/dnsmasq[dnsmasq:4320] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

...how, for the subject /usr/sbin/dnsmasq running under role default, the linux capability (see "man capabilities") CAP_NET_ADMIN (and also CAP_NET_BIND_SERVICE and CAP_NET_RAW in neighboring lines) was denied for. And how the said subject /usr/sbin/dnsmasq was running as user nobody (uid/euid 65534/65534), group nobody (gid/egid 65534/65534), under parent /sbin/init[init:1] (pls. take note, that's process number 1), which, in its turn, was running as user/group root (uid/euid:0/0 gid/egid:0/0)...

Wow, that was clear evidence something is likely not exactly perfect with my policy... Esp. because with all my tries, I have not been able to get the /usr/sbin/dnsmasq to run as anything other then the least privileged of all users and groups, the nobody/nobody (just grep /etc/group and /etc/passwd for "nobody")!

So here is my thinking, and if any really advanced grsecurity users/programmers have a piece of advice/suggestion to share on this issue, I'll be glad to read!

I'll expose my thinking along with the dissection of that 7.5% (I issued
Code: Select all
:!echo "1291600000/171317"|bc
in my vim, and interpolated the decimal point where due) of my entire current /etc/grsec/policy.

This is from the start of the file. Because the mind boggling issue above has to do with /sbin/init (and /usr/sbin/dnsmasq, but for a long, too long, number of lines, there won't be any mention of the /usr/sbin let alone /usr/sbin/dnsmasq. In fact, dnsmasq has previously worked for me without a dedicated policy entry... and there is currently --I have in the meatime try to learn on it as subject, but failed, and reverted-- no entry whatsoever holding /usr/sbin/dnsmasq in my entire policy)...
So because this issue that has to do with /sbin/init (and /usr/sbin/dnsmasq], I took out, not just all that has to do with virtualization, but also with the /sbin/init subject, and cut out what likely has no influence on this issue.
Code: Select all
...[ 323 fewer lines ]...


The role that's short and quick to paste. Has all the power. The actual "root" user in the grsecurity-hardening world.
Code: Select all
role admin sA
subject / rvka
   / rwcdmlxi


This, the "default" below, is the role that those " denied " lines are reported under! (find "(default:D:/)" above, and in most of the " denied " lines in previous posts). Face to face with the role that for some reasons (probably my mismanagement of it) doesn't do some of its tasks as it should:
Code: Select all
role default G
role_transitions admin shutdown
subject /
   /      r
   /opt      rx
   /home      rwxcd
   /mnt      rw
   /dev
   /dev/urandom   r
   /dev/random   r
   /dev/zero   rw
   /dev/input   rw
   /dev/psaux   rw
   /dev/null   rw
   /dev/tty?   rw
   /dev/console   rw
   /dev/tty   rw
   /dev/pts   rw
   /dev/ptmx   rw
   /dev/dsp   rw
   /dev/mixer   rw
   /dev/initctl   rw
   /dev/fd0   r
   /dev/cdrom   r
   /dev/sr0   r
   /bin      rx

I'm interrupting this / subject of role default, to call readers' (and my own) attention to /sbin being readable and executable in role default (/sbin/init is under /sbin, obviously...
Code: Select all
   /sbin      rx
   /lib      rx
   /lib32      rx
   /libx32      rx
   /lib64      rx
   /usr      rx
# compilation of kernel code should be done within the admin role   
   /usr/src   h
   /etc      rx
   /proc      rwx
   /proc/sys   r
   /sys      h
   /root      r
   /run      r
   /tmp      rwcd

And while I'm at role default, subject / , should adding "/usr/sbin/dnsmasq" here --notice I try to arrange all entries alphabetically, I believe that's simply recommended practice-- be of any help towards a solution to this issue?
Code: Select all
   /var      rwxcd
   /var/tmp   rwcd
   /var/log   r
# hide the kernel images and modules
   $grsec_denied

# if sshd needs to be restarted, it can be done through the admin role
# restarting sshd should be followed immediately by a gradm -u
   /usr/sbin/sshd
   
   -CAP_KILL
   -CAP_SYS_TTY_CONFIG
   -CAP_LINUX_IMMUTABLE

Look! Look! the abovementioned CAP_NET_ADMIN, CAP_NET_BIND_SERVICE and CAP_NET_RAW are all disabled in role default! (And I feel that I might be, slowly and stubbornly, inching towards a solution.

Of course, this is the right thing to do. These lines below are part of grsecurity policy that is delivered upon installation, and it is correct that connecting to internet is not something to be allowed under default role.

...IOW, even if I added /usr/sbin/dnsmasq above (wrong idea, I now understand), because of these capabilities being denied, that addition would not be of any help!...

And also, the solution can not be in the role default... But getting /usr/sbin/dnsmasq to run under some role fitting of it, not under role default...

Yes, /usr/sbin/dnsmasq wasn't supposed to be running under role default... More searching about for what is wrong in my policy...)
Code: Select all
   -CAP_NET_RAW
   -CAP_MKNOD
   -CAP_SYS_ADMIN
   -CAP_SYS_RAWIO
   -CAP_SYS_MODULE
   -CAP_SYS_PTRACE
   -CAP_NET_ADMIN
   -CAP_NET_BIND_SERVICE
   -CAP_NET_RAW
   -CAP_SYS_CHROOT
   -CAP_SYS_BOOT
   -CAP_SETFCAP
   -CAP_SYSLOG

...[ 108 fewer lines ]...

Still in role default. Don't know what wtmp is. And I hope it's not indispensable for me to know that at this time. If it shows to be necessary, I'll search for some explanation of it with duckduckgo.com...
Code: Select all
subject /sbin/init
   /var/log/wtmp w

...[ 117 fewer lines ]...

End of role default.

The role root. Almost like normal user in the world of grsecurity, this is certainly not the admin of the grsecurity-hardened system, but just the second most powerful only.
Code: Select all
role root uG
role_transitions admin shutdown
...
role_allow_ip   0.0.0.0/32

See trasition allowed for root to user qemu, and to groups kvm, libvirt and qemu. That part is OK, and it actually has been doing its jobs, as can be seen in the syslog excerpts that I posted.
Code: Select all
user_transition_allow apache miro tcpdump qemu
group_transition_allow apache miro tcpdump kvm libvirt qemu
# Role: root
subject /
   /               h
   ...
   /bin            rx

Calling attention to /sbin, which contains the /sbin/init. Read and execute perms allowed.
Code: Select all
   /sbin            rx
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/tty         rw
   /dev/urandom         r
   /etc            rx
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /export            h
   /export/data         
   /export/home         
   /home            h
   /home/miro         rx
   /lib64            rx
   /lib64/firmware         h
   /lib64/firmware/radeon      
   /lib64/modules         h
   /mnt            r
   /mnt            r
   ...
   /opt            
   /opt/icedtea-bin-*/bin/java   x
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         h
   /root         rxcdl
   /run            rd
   /run/dhcpcd         r
   /sys            
   /sys/fs/cgroup         
   /tmp            rwcd
   /usr            
   /usr/bin         rx
   /usr/include         r
   /usr/lib64         rx
   /usr/libexec         rx
   /usr/local         r
   /usr/local/bin         rx

The first mention of /usr/sbin, which contains the /usr/sbin/dnsmasq. Read and execute perms allowed.
Code: Select all
   /usr/sbin         rx
   /usr/share         r
   /usr/src         rx
   /usr/x86_64-pc-linux-gnu
   /usr/x86_64-pc-linux-gnu/binutils-bin   x
   /usr/x86_64-pc-linux-gnu/gcc-bin   x
   /var            
   /var/lib         r
   /var/log         r
   /var/run         rd
   /var/spool         
   /var/spool/postfix      r

Pls. note that CAP_NET_ADMIN, CAP_NET_BIND_SERVICE and CAP_NET_RAW are not explicitly allowed, which means they are, being there the "-CAP_ALL", denied.
Code: Select all
   -CAP_ALL
   +CAP_CHOWN
   +CAP_DAC_OVERRIDE
   +CAP_DAC_READ_SEARCH
   +CAP_FOWNER
   +CAP_KILL
   bind   disabled
   connect   disabled

# Role: root
subject /bin/bash o
   /               
   ...
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/log         h
   /dev/mem         h
   /dev/null         rw
   /dev/port         h
   /dev/tty         rw
   /etc            r
   /etc/X11            r
   /etc/X11/chooser.sh         x
   /etc/bash         h
   /etc/bash/bash_logout      r
   /etc/bash/bashrc      r
   /etc/bash/bashrc.d      
   /etc/cron.hourly      
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/init.d            rwx
   /etc/java-config-2      h
   /etc/java-config-2/current-system-vm   rx
   /etc/mactab         w
   /etc/postfix         wc
   /etc/profile.d         
   /etc/profile.d/java-config-2.sh   r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /etc/terminfo         
   /etc/terminfo/l/linux      r
   /etc/terminfo/r/rxvt-unicode   r
   /export            rwxcd
   /home            
   /home/miro         rw
   /lib64            rx
   /lib64/modules         h
   /mnt            
   /opt            
   /opt/cin         x
   /opt/icedtea-bin-*   rx
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /proc/sys         
   /proc/sys/kernel      
   /proc/sys/kernel/grsecurity      w
#   /proc/sys/kernel/grsecurity/audit_chdir   w
#   /proc/sys/kernel/grsecurity/exec_logging   w
   /proc/sys/net/netfilter      w
#   /proc/sys/net/netfilter/nf_conntrack_timestamp   w
   /root            rwcdl
   /run            r
   /run/apache2.pid   d
   /run/cgisock*      d
   /sbin            x
   /sys            h
   /tmp            rwcdl
   /usr            
   /usr/bin         x
   /usr/bin/xkbcomp   rx
   /usr/lib64         rx
   /usr/local         r
   /usr/local/bin      rx

Another mention of /usr/sbin, which contains the /usr/sbin/dnsmasq. Read and execute perms allowed.
Code: Select all
   /usr/sbin         x

Maybe I should add " /usr/sbin/dnsmasq rx" here. But would it be necessary? There's no mention of subject /usr/sbin/dnsmasq running as ?/? denied (under) parent /bin/bash running itself as root/root in the " denied " lines... Don't know.
Code: Select all
   /usr/sbin/sendmail   rx
   /usr/sbin/tcpdump   x
   /usr/share         h
   /usr/share/info      r
   /usr/share/locale      r
   /usr/share/terminfo      r
   /usr/src         rwxc
   /usr/x86_64-pc-linux-gnu
   /usr/x86_64-pc-linux-gnu/binutils-bin   x
   /usr/x86_64-pc-linux-gnu/gcc-bin   x
   /var            
   /var/lib         
   /var/lib/clamav         
   /var/lib/portage      
   /var/spool            rwcd

CAP_NET_ADMIN, CAP_NET_BIND_SERVICE and CAP_NET_RAW are not explicitly allowed here either, which means they are, being there the "-CAP_ALL", denied.
Code: Select all
   -CAP_ALL
   +CAP_CHOWN
   +CAP_DAC_OVERRIDE
   +CAP_DAC_READ_SEARCH
   +CAP_FOWNER
   +CAP_KILL
   +CAP_SYS_ADMIN
   bind   disabled
   connect   disabled
   sock_allow_family all

...[ 1075 fewer lines ]...


Now we came to /sbin/init.
Code: Select all
# Role: root
subject /sbin/init o
   /            h
   /bin
   /bin/login         x
   /dev            h
   /dev/console         rw
   /dev/initctl         rw
   /dev/log         rw
   /run            h
   /run/utmp         rw
   /sbin            h
   /sbin/agetty         x
   /usr
   /usr/bin
   /usr/bin/gpg-agent      rx
   /usr/sbin/conntrackd   r

/usr/sbin/dnsmasq not there.
Code: Select all
   /var            h
   /var/log/wtmp         w
   /var/lib/dhcpcd         w

CAP_NET_ADMIN, CAP_NET_BIND_SERVICE and CAP_NET_RAW are disallowed here. Should I allow them?
Code: Select all
   -CAP_ALL
   +CAP_MKNOD
   bind   disabled
   connect   disabled

...[ 137 fewer lines ]...

# Role: root
subject /sbin/dhcpcd o
   /            h
   /etc            h
   /etc/dhcpcd.conf      r
   /lib64            h
   /lib64/dhcpcd/dhcpcd-run-hooks   x
   /proc            rw
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /run            h
   /run/dhcpcd*         wd
   /sbin            h
   /sbin/dhcpcd         rx
   /var            h
   /var/lib
   /var/lib/dhcpcd*      rwcd

Look, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE and CAP_NET_RAW are allowed here. Generally my dhcpcd works fine.
Code: Select all
   -CAP_ALL
   +CAP_NET_BIND_SERVICE
   +CAP_NET_ADMIN
   +CAP_NET_RAW
   +CAP_SYS_MODULE
   bind 0.0.0.0/32:0 dgram ip
   connect   disabled
   sock_allow_family ipv6 netlink packet

...[ 1144 fewer lines ]...


Now we have lots of libvirt and related subject set to learning.
Code: Select all
# Role: root
subject /usr/bin/virsh ol
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   bind   disabled
   connect   disabled

# Role: root
subject /usr/bin/virt-install oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/bin/virt-viewer oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 481 fewer lines ]...

# Role: root
subject /usr/libexec/libvirt-guests.sh oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/libexec/libvirt_iohelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/libexec/libvirt_leaseshelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 44 fewer lines ]...

# Role: root
subject /usr/libexec/qemu-bridge-helper ol
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 81 fewer lines ]...

# Role: root
subject /usr/sbin/libvirtd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/sbin/virtlockd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: root
subject /usr/sbin/virtlogd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 808 fewer lines ]...

role kvm gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

role libvirt gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

...[ 98 fewer lines ]...

role qemu ul
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

role qemu gl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu

...[ 34 fewer lines ]...


Since under role miro I start virt-install (which then calls virt-viewer), these are another stretch of important policies.

The transitions are allowed correctly.
Code: Select all
role miro u
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
role_allow_ip   0.0.0.0/32
# Role: miro
subject /
   /               h
   ...
   /bin            rx
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/kvm         r
   /dev/log         h
   /dev/mapper         h
   /dev/mapper/Msy         
   /dev/mem         h
   /dev/net         r
   /dev/net/tun      rwx
   /dev/null         rw
   /dev/port         h
   /dev/ptmx         rw
   /dev/pts         rw
   /dev/snd         rw
   /dev/snd         rw
   /dev/sr*         rw
   /dev/tty         rw
   /dev/tty?         rw
   /dev/urandom         r
   /dev/v4l         h
   /dev/v4l/video0         rw
   /dev/video0         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /export            h
   /export/data         
   /export/home         
   /home            
   /home/miro         rwxcdl
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   ...
   /opt            
   /opt/icedtea-bin-*   rx
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
   /proc/slabinfo         h
   /run            
   /run/utmp         r

Have a look, /sbin (holding the /sbin/init) is hidden. Pls. see the note 13 lines below in regard.
Code: Select all
   /sbin            h
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            
   /sys/fs/cgroup         
   /tmp            rwcd
   /usr            
   /usr/bin         rx
   /usr/lib64         rx
   /usr/libexec         rx
   /usr/local         
   /usr/local/bin         rx

Here my lack of knowledge comes to the fore. I see below that /usr/sbin (which holds the currently very important /usr/sbin/dnsmasq) is also hidden...

Hmmh... I was wondering: I start the virt-install script on the command line as user miro. So, once the transition to some of the groups "kvm qemu libvirt" and, the libvirtd subject then also transitions it to user and group qemu... once some such transition happend, the entry below that hides /usr/sbin, as well as the entry above that hides /sbin will be annulled, if I allow it in the necessary other places, or?
Code: Select all
   /usr/sbin         h
   /usr/sbin/sendmail      rx
   /usr/sbin/tcpdump      x
   /usr/share         r
   /usr/share/locale      r
   /usr/share/doc         r
   /usr/src         h
   /usr/x86_64-pc-linux-gnu   x
   /var            
   /var/cache         h
   /var/cache/fontconfig      r
   /var/lib         h
   /var/lib/lurker         rwcdl
   /var/lib/nfs/rpc_pipefs      
   /var/log         h
   /var/www
   /var/www/localhost/htdocs      rwcdl
   /var/www/lurker*      rwcdl
   -CAP_ALL
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   disabled
   sock_allow_family unix inet

# Role: miro
subject /bin/bash o
   /               
   ...
   /export            rwxcd
   /bin            x
   /boot            h
   /dev            
   /dev/grsec         h
   /dev/kmem         h
   /dev/kvm         r
   /dev/log         h
   /dev/mem         h
   /dev/net         r
   /dev/net/tun      rwx
   /dev/null         rw
   /dev/port         h
   /dev/sr0         r
   /dev/tty         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home
   /home/miro         rwxcdl
   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /mnt            r
   ...
   /opt            
   /opt/cin         x
   /opt/icedtea-bin-*   rx
   /proc            h
   /proc/meminfo         r

Pls. see the note some 560 <something> lines above in regard.
Code: Select all
   /sbin            h
   /sbin/conntrack      x      
   /sbin/ldconfig      x
   /sbin/macchanger      
   /sbin/openrc         
   /sbin/xtables-multi      
   /sys            h
   /tmp            rwcd
   /usr            
   /usr/bin         x
   /usr/bin/java      rx
   /usr/bin/mplayer   rx
   /usr/bin/mpv      rx
   /usr/bin/qemu-system-x86_64   rx
   /usr/bin/ssh      rx
   /usr/bin/xkbcomp   rx
   /usr/bin/urxvt         rx
   /usr/bin/tzap         rx
   /usr/lib64         rx
   /usr/libexec      rx
   /usr/local         
   /usr/local/bin         rwxc

Pls. see the note some 580 <something> lines above in regard.
Code: Select all
   /usr/sbin         h
   /usr/sbin/sendmail      rx
   /usr/sbin/tcpdump      x
   /usr/share         h
   /usr/share/virt-manager         x
   /usr/share/cvs/contrib/rcs2log
   /usr/share/doc         r
   /usr/share/info      r
   /usr/share/locale      r
   /usr/share/terminfo      r
   /usr/src         rwxc
   # needed by youtube-dl
   /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/objdump   x
   /var            
   /var/lib
   /var/lib/lurker         rwcdl
   /var/log         h
   /var/tmp         rwcd
   /var/www            
   /var/www/lurker*         rwcd
   /var/www/localhost
   /var/www/localhost/htdocs         rwcd
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family all

...[ 2108 fewer lines  ]...


And the rest is all only learning. Probably not any reasons for this last snag in there.
Code: Select all
# Role: miro
subject /usr/bin/python2.7 ol
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 60 fewer lines ]...

# Role: miro
subject /usr/bin/qemu-system-x86_64 ol
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/libvirt-guests.sh oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/libvirt_iohelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/libvirt_leaseshelper oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/libexec/qemu-bridge-helper ol
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 573 fewer lines ]...

# Role: miro
subject /usr/bin/virsh ol
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /               h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-install oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/bin/virt-viewer oOl
user_transition_allow root qemu
group_transition_allow root kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 895 fewer lines ]...

# Role: miro
subject /usr/sbin/libvirtd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/sbin/virtlockd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

# Role: miro
subject /usr/sbin/virtlogd oOl
user_transition_allow qemu
group_transition_allow kvm libvirt qemu
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled

...[ 60 fewer lines ]...


So what do I do? I'm still uncertain, will have to think more about it.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 3:51 pm

ADDENDA: Just if by reading the huge chunks of my current /etc/grsec/policy, you're missing what $grsec_denied hold, here is that part:

head -267 grsec_170310_g0n_00 | tail -19
Code: Select all
define grsec_denied {
   /boot      h
   /dev/grsec   h
   /dev/kmem   h
   /dev/mem   h
   /dev/port   h
   /etc/grsec   h
   /proc/kcore   h
   /proc/slabinfo   h
   /proc/modules   h
   /proc/kallsyms   h
   # hide and suppress logs about accessing this path
   /lib/modules   hs
   /lib32/modules   hs
   /lib64/modules   hs
   /etc/ssh   h
# usage:
# $grsec_denied
}

(posting this, since it's faster than checking if that is still delivered as default for new installs)
---

Considering the ample excerpts from my /etc/grsec/policy that I just posted, it is not hard to conclude that my default role maybe is not all set up correctly.

And comparing it to what can be found in this two years old policy of mine:
A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153#p15003

you can see the default policy was back then just:
Code: Select all
role default
subject /
   /         h
   -CAP_ALL
   connect   disabled
   bind   disabled


What happened in the meantime?... I'm not sure I want to rummage through my archives to remember exactly when and how, but I remember having issues with some programs, and I'm not sure if some of the entries in the subject / of the default role which you can see are given some exec and read perms have those perms because of that... I hope not...

I'm not sure if any of the entries may have been a mistake...

I remember, for at least one of the past two years, I was disabling grsec before shutting the system down. Because I wasn't able to enter role shutdown (and I still can't) when logged in as role admin. Only later I discovered I need(ed) to log out of admin role, log into role shutdown, and then I was able to shut the system down.

But I don't remember details now, and if I made any wrong changes, and where...

I remember, at some different time during these two years, how I had some issues with cron program... And also with apache2 server (which I only use locally)... I think some of the changes in role default, more precisely in subject / of role default, were because of those issues, that have disappeared in the meantime...

I again don't remember the details, but am unsure if I did anything wrong.

All those changes that I (maybe a little too vaguely) explained above, all those I did manually, IIRC...

But that does look too clever for me, those entries, most of those could be entries that now ship with the default grsecurity new installations...

Let me see. I will simply reinstall gradm, because usually on reinstalls of programs, you get the default configuration files for that program available as dot files...

equery l gradm
Code: Select all
sys-apps/gradm-3.1.201608131257


And I reinstalled it, with "emerge -1 gradm", but no confs were installed...

Ah, I remember what I need to do! I'll look up the source!

tar xf /usr/portage/distfiles/gradm-3.1-201608131257.tar.gz

And this is excerpt from gradm/policy of that source:
Code: Select all
...
role default G
role_transitions admin shutdown
subject /
   /      r
   /opt      rx
   /home      rwxcd
   /mnt      rw
   /dev
   /dev/urandom   r
   /dev/random   r
   /dev/zero   rw
   /dev/input   rw
   /dev/psaux   rw
   /dev/null   rw
   /dev/tty?   rw
   /dev/console   rw
   /dev/tty   rw
   /dev/pts   rw
   /dev/ptmx   rw
   /dev/dsp   rw
   /dev/mixer   rw
   /dev/initctl   rw
   /run/systemd/initctl/fifo rw
   /dev/fd0   r
   /dev/cdrom   r
   /dev/sr0   r
   /bin      rx
   /sbin      rx
   /lib      rx
   /lib32      rx
   /libx32      rx
   /lib64      rx
   /usr      rx
# compilation of kernel code should be done within the admin role   
   /usr/src   h
   /etc      rx
   /proc      rwx
   /proc/sys   r
   /sys      h
   /root      r
   /run      r
   /tmp      rwcd
   /var      rwxcd
   /var/tmp   rwcd
   /var/log   r
# hide the kernel images and modules
   $grsec_denied
...

Phew! Probably nothing wrong, well nothing much wrong at least, with my policy, well, at least in the section of role default...

And regarding the manual changes that I mentioned above, I don't remember many details at all at this time. I can say that almost everything works fine, as far as I can understand of course...

So, I think I should continue thinking about what to change to get the remaining snags vanish and libvirt virtualization work fine under grsecurity.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 6:02 pm

The next policy that I will try is grsec_170310_g0n_01, and here's the diff with the policy that huge part, relevant to this topic, I have posted:

diff -u45 grsec_170310_g0n_00 grsec_170310_g0n_01
Code: Select all
--- grsec_170310_g0n_00   2017-03-08 18:46:35.138312762 +0100
+++ grsec_170310_g0n_01   2017-03-10 22:57:18.693231844 +0100
@@ -588,92 +588,92 @@
 subject /bin/rm o
    /            h
    /bin            h
    /bin/rm            x
    /etc            h
    /etc/ld.so.cache      r
    /lib64            h
    /lib64/ld-2.*.so      x
    /lib64/libc-2.*.so      rx
    /usr            h
    /usr/lib64/locale/locale-archive   r
    /usr/portage         wd
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 # Role: portage
 subject /usr/bin/wget o
    /            h
    /dev            h
    /dev/urandom         r
    /etc            h
    /etc/ld.so.cache      r
    /etc/localtime         r
    /etc/wgetrc         r
    /lib64            rx
    /lib64/modules         h
    /usr            h
    /usr/bin         h
    /usr/bin/wget         x
    /usr/lib64         rx
    /usr/portage         wc
    /var            h
    /var/log/portage_logs      
    /var/log/portage_logs/wget-fetch.log   a
    -CAP_ALL
    bind   disabled
    connect   192.168.2.0/24:80 stream tcp
    connect   192.168.3.0/24:80 stream tcp
 
 role root uG
 role_transitions admin shutdown
 role_allow_ip   192.168.2.0/24
 role_allow_ip   192.168.3.0/24
 role_allow_ip   0.0.0.0/32
-user_transition_allow apache miro tcpdump qemu
-group_transition_allow apache miro tcpdump kvm libvirt qemu
+user_transition_allow apache miro dnsmasq tcpdump qemu
+group_transition_allow apache miro dnsmasq tcpdump kvm libvirt qemu
 # Role: root
 subject /
    /               h
    /Cmn            r
    /Cmn/Kaff         rwxcd
    /Cmn/MyVideos      rwxcd
    /Cmn/dLo         rwxcd
    /Cmn/gX*            rwxcd
    /Cmn/m*            rwxcd
    /bin            rx
    /sbin            rx
    /dev            
    /dev/grsec         h
    /dev/kmem         h
    /dev/log         h
    /dev/mem         h
    /dev/null         rw
    /dev/port         h
    /dev/tty         rw
    /dev/urandom         r
    /etc            rx
    /etc/grsec         h
    /etc/gshadow         h
    /etc/gshadow-         h
    /etc/shadow         h
    /etc/shadow-         h
    /etc/ssh         h
    /export            h
    /export/data         
    /export/home         
    /home            h
    /home/miro         rx
    /lib64            rx
    /lib64/firmware         h
    /lib64/firmware/radeon      
    /lib64/modules         h
    /mnt            r
    /mnt            r
    /mnt/g*            rwxcd
    /mnt/H*            rwxcd
    /opt            
    /opt/icedtea-bin-*/bin/java   x
    /proc            r
    /proc/bus         h
    /proc/kallsyms         h
@@ -4698,97 +4698,105 @@
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 # Role: clamav
 subject /usr/bin/freshclam o
    /            h
    /etc            h
    /etc/clamd.conf         r
    /etc/gai.conf      r
    /etc/hosts         r
    /etc/localtime         r
    /etc/resolv.conf      r
    /run            h
    /run/clamav/clamd.sock      rw
    /var            h
    /var/lib/clamav         rwcd
    /var/log/clamav         rwc
    -CAP_ALL
    bind   0.0.0.0/32:0 dgram ip
    connect   0.0.0.0/0:53 dgram udp
    connect   127.0.0.1/32:53 dgram udp
    connect   193.92.150.194/32:80 stream dgram tcp udp
    connect   195.222.33.229/32:80 stream dgram tcp udp
    connect   192.168.1.1/32:53 dgram udp
    sock_allow_family netlink
 
 # Role: clamav
 subject /usr/sbin/clamd o
    /            h
    /proc            r
    /proc/bus         h
    /proc/kallsyms         h
    /proc/kcore         h
    /proc/modules         h
    /proc/slabinfo         h
    /proc/sys         h
    /var/lib/clamav         r
    /var/log/clamav         
    /var/log/clamav/clamd.log   a
    /run/clamav         rwcdl
    -CAP_ALL
    bind   disabled
    connect   disabled
 
+role dnsmasq ul
+user_transition_allow root
+group_transition_allow root
+
+role dnsmasq gl
+user_transition_allow root
+group_transition_allow root
+
 role kvm gl
 user_transition_allow root qemu
 group_transition_allow root kvm libvirt qemu
 
 role libvirt gl
-user_transition_allow root qemu
-group_transition_allow root kvm libvirt qemu
+user_transition_allow root dnsmasq qemu
+group_transition_allow root dnsmasq kvm libvirt qemu
 
 role mysql u
 #role_allow_ip   0.0.0.0/32
 user_transition_allow root
 group_transition_allow root
 # Role: mysql
 subject /
    /            h
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 # Role: mysql
 subject /usr/sbin/mysqld o
 user_transition_allow root mysql nobody
 group_transition_allow root mysql nobody
    /            h
    /sys/devices/system/cpu/online   r
    /tmp            rwcd
    /usr/sbin/mysqld      rx
    /var/lib/mysql         rwcd
 #   /var/lib/mysql/performance_schema
 #   /var/lib/mysql/performance_schema/db.opt   r
    -CAP_ALL
    bind 127.0.0.1/32:3306 stream tcp
    connect   disabled
 
 role postfix u
 role_allow_ip   0.0.0.0/32
 user_transition_allow root
 group_transition_allow root
 # Role: postfix
 subject /
    /            h
    /dev/urandom         r
    /etc/localtime         
    /var/spool/postfix      rwcd
    -CAP_ALL
    +CAP_SETGID
    +CAP_SETUID
    bind   0.0.0.0/32:0 ip dgram stream tcp udp
    connect   127.0.0.1/32 ip dgram stream tcp udp
    connect   195.29.150.0/24 ip dgram stream tcp udp
    connect   178.218.165.68/32 ip dgram stream tcp udp
    sock_allow_family netlink
@@ -4807,288 +4815,290 @@
    /etc/gshadow-         h
    /etc/shadow         h
    /etc/shadow-         h
    /etc/ssh         h
    /home
    /home/miro
    /home/miro/Maildir            rwcdl
    /lib64            rx
    /lib64/modules         h
    /proc            h
    /proc/sys/kernel/ngroups_max   r
    /root
    /root/Maildir            rwcdl
    /sys            h
    /sys/devices/system/cpu/online   r
    /usr            h
    /usr/lib64         rx
    /usr/libexec         x
    /var            h
    /var/lib/postfix      rwcd
    /var/spool/postfix      rwcdl
    /var/tmp         
    -CAP_ALL
    +CAP_DAC_READ_SEARCH
    +CAP_KILL
    +CAP_SETGID
    +CAP_SETUID
    bind   0.0.0.0/32:0 ip dgram stream tcp udp
    connect   127.0.0.1/32 ip dgram stream tcp udp
    connect   192.168.1.1/32:53 dgram udp
    connect   195.29.150.0/24 ip dgram stream tcp udp
    connect   178.218.165.68/32 ip dgram stream tcp udp
    sock_allow_family all
 
 # Role: postfix
 subject /usr/sbin/postsuper o
 user_transition_allow root
 group_transition_allow root
    /            h
    /var/spool/postfix      wd
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 role qemu ul
-user_transition_allow root qemu
-group_transition_allow root kvm libvirt qemu
+user_transition_allow root dnsmasq qemu
+group_transition_allow root dnsmasq kvm libvirt qemu
 
 role qemu gl
-user_transition_allow root qemu
-group_transition_allow root kvm libvirt qemu
+user_transition_allow root dnsmasq qemu
+group_transition_allow root dnsmasq kvm libvirt qemu
 
 role tcpdump u
 subject / o
    /            h
    -CAP_ALL
    bind   disabled
    connect   disabled
 
 # Role: tcpdump
 subject /usr/sbin/tcpdump o
 user_transition_allow miro root nobody tcpdump
 group_transition_allow miro root nobody tcpdump
    /            h
    /Cmn            rwc
    /etc            h
    /etc/host.conf         r
    /etc/hosts         r
    /etc/ld.so.cache      r
    /etc/resolv.conf      r
    /lib64            h
    /lib64/libnss_dns-2.23.so   rx
    /lib64/libresolv-2.23.so   rx
    /lib64/libresolv.so.2      rx
    /proc            r
    /proc/bus         h
    /proc/kallsyms         h
    /proc/kcore         h
    /proc/modules         h
    /proc/slabinfo         h
    /proc/sys         h
    /usr            h
    /usr/sbin/tcpdump      rx
    -CAP_ALL
    +CAP_DAC_OVERRIDE
    bind 0.0.0.0/32:0 dgram ip
    connect 127.0.0.1/32:53 dgram udp
 
 role miro u
-user_transition_allow qemu
-group_transition_allow kvm libvirt qemu
+user_transition_allow dnsmasq qemu
+group_transition_allow dnsmasq kvm libvirt qemu
 role_allow_ip   0.0.0.0/32
 # Role: miro
 subject /
    /               h
    /Cmn            r
    /Cmn/Kaff         rwxcd
    /Cmn/MyVideos      rwxcd
    /Cmn/dLo         rwxcd
    /Cmn/gX*         rwxcd
    /Cmn/m*            rwxcd
    /Cmn/src*         rwxcd
    /bin            rx
    /boot            h
    /dev            
    /dev/grsec         h
    /dev/kmem         h
    /dev/kvm         r
    /dev/log         h
    /dev/mapper         h
    /dev/mapper/Msy         
    /dev/mem         h
    /dev/net         r
    /dev/net/tun      rwx
    /dev/null         rw
    /dev/port         h
    /dev/ptmx         rw
    /dev/pts         rw
    /dev/snd         rw
    /dev/snd         rw
    /dev/sr*         rw
    /dev/tty         rw
    /dev/tty?         rw
    /dev/urandom         r
    /dev/v4l         h
    /dev/v4l/video0         rw
    /dev/video0         rw
    /etc            r
    /etc/grsec         h
    /etc/gshadow         h
    /etc/gshadow-         h
    /etc/shadow         h
    /etc/shadow-         h
    /etc/ssh         h
    /export            h
    /export/data         
    /export/home         
    /home            
    /home/miro         rwxcdl
    /lib64            rx
    /lib64/modules         h
    /mnt            r
    /mnt/g*            rwxcd
    /mnt/H*            rwxcd
    /mnt/sd[a-l]*         rwxcd
    /opt            
    /opt/icedtea-bin-*   rx
    /proc            r
    /proc/bus         h
    /proc/kallsyms         h
    /proc/kcore         h
    /proc/modules         h
    /proc/slabinfo         h
    /run            
    /run/utmp         r
    /sbin            h
+   /sbin/dnsmasq      x      
    /sbin/macchanger      
    /sbin/openrc         
    /sbin/xtables-multi      
    /sys            
    /sys/fs/cgroup         
    /tmp            rwcd
    /usr            
    /usr/bin         rx
    /usr/lib64         rx
    /usr/libexec         rx
    /usr/local         
    /usr/local/bin         rx
    /usr/sbin         h
    /usr/sbin/sendmail      rx
    /usr/sbin/tcpdump      x
    /usr/share         r
    /usr/share/locale      r
    /usr/share/doc         r
    /usr/src         h
    /usr/x86_64-pc-linux-gnu   x
    /var            
    /var/cache         h
    /var/cache/fontconfig      r
    /var/lib         h
    /var/lib/lurker         rwcdl
    /var/lib/nfs/rpc_pipefs      
    /var/log         h
    /var/www
    /var/www/localhost/htdocs      rwcdl
    /var/www/lurker*      rwcdl
    -CAP_ALL
    bind   0.0.0.0/32:0 ip dgram stream tcp udp
    connect   disabled
    sock_allow_family unix inet
 
 # Role: miro
 subject /bin/bash o
    /               
    /Cmn            r
    /Cmn/ls-ABRgo*         rwcdl
    /Cmn/HISTORY*      rwxcd
    /Cmn/Kaff         rwxcd
    /Cmn/MyVideos         rwxcd
    /Cmn/dLo         rwxcd
    /Cmn/gX*            rwxcdl
    /Cmn/m*            rwxcdl
    /Cmn/src*         rwxcdl
    /export            rwxcd
    /bin            x
    /boot            h
    /dev            
    /dev/grsec         h
    /dev/kmem         h
    /dev/kvm         r
    /dev/log         h
    /dev/mem         h
    /dev/net         r
    /dev/net/tun      rwx
    /dev/null         rw
    /dev/port         h
    /dev/sr0         r
    /dev/tty         rw
    /etc            r
    /etc/grsec         h
    /etc/gshadow         h
    /etc/gshadow-         h
    /etc/shadow         h
    /etc/shadow-         h
    /etc/ssh         h
    /home
    /home/miro         rwxcdl
    /lib/modules         h
    /lib64            rx
    /lib64/modules         h
    /mnt            r
    /mnt/g*          rwxcd
    /mnt/H*            rwxcd
    /mnt/sr0         r
    /mnt/sd?1         rwxcdl
    /mnt/sr*         r
    /opt            
    /opt/cin         x
    /opt/icedtea-bin-*   rx
    /proc            h
    /proc/meminfo         r
    /sbin            h
    /sbin/conntrack      x      
+   /sbin/dnsmasq      x      
    /sbin/ldconfig      x
    /sbin/macchanger      
    /sbin/openrc         
    /sbin/xtables-multi      
    /sys            h
    /tmp            rwcd
    /usr            
    /usr/bin         x
    /usr/bin/java      rx
    /usr/bin/mplayer   rx
    /usr/bin/mpv      rx
    /usr/bin/qemu-system-x86_64   rx
    /usr/bin/ssh      rx
    /usr/bin/xkbcomp   rx
    /usr/bin/urxvt         rx
    /usr/bin/tzap         rx
    /usr/lib64         rx
    /usr/libexec      rx
    /usr/local         
    /usr/local/bin         rwxc
    /usr/sbin         h
    /usr/sbin/sendmail      rx
    /usr/sbin/tcpdump      x
    /usr/share         h
    /usr/share/virt-manager         x
    /usr/share/cvs/contrib/rcs2log
    /usr/share/doc         r
    /usr/share/info      r
    /usr/share/locale      r
    /usr/share/terminfo      r
    /usr/src         rwxc
    # needed by youtube-dl
    /usr/x86_64-pc-linux-gnu/binutils-bin/2.25.1/objdump   x
    /var            
    /var/lib
    /var/lib/lurker         rwcdl
    /var/log         h
    /var/tmp         rwcd
    /var/www            
    /var/www/lurker*         rwcd
    /var/www/localhost
    /var/www/localhost/htdocs         rwcd
    -CAP_ALL
    bind   disabled
    connect   disabled


Before I report how it went, I need to, and for the fourth time, get the rest of the system into an environment/conditions as when I left off from the last try.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 6:33 pm

I followed the procedure that I explained (see viewtopic.php?f=5&t=4675&start=15#p17008 of this topic)
Code: Select all
$ GentooVM22.sh
qemu-img create -f qcow2 gentoo22.img 10G

Formatting 'gentoo22.img', fmt=qcow2 size=10737418240 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
WARNING  No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.

Starting install...
ERROR    internal error: process exited while connecting to monitor: kvm_init_vcpu failed: Cannot allocate memory
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start gentoo22
otherwise, please restart your installation.
$


And in the syslog there are no related " denied " messages... There aren't even any strings "failed" nor "permission" to be found.

What I had done is, probably misunderstanding how the issue:
=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests
https://bugs.gentoo.org/show_bug.cgi?id=597554
was resolve, I set again:
Code: Select all
# grep SYSFS_RESTRICT /boot/config-4.9.1*
/boot/config-4.9.11-hardened-170221_23:# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
/boot/config-4.9.13-hardened-170308_07:# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
/boot/config-4.9.13-hardened-r1-170308_11:CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
#

So what I have to do now, is: recompile the kernel disabling that option, IIUC.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 11:01 pm

Indeed:
Code: Select all
# diff -u .config*
--- .config   2017-03-10 23:36:25.700456070 +0100
+++ .config.old   2017-03-08 11:42:50.622184070 +0100
@@ -53,7 +53,7 @@
 CONFIG_INIT_ENV_ARG_LIMIT=32
 CONFIG_CROSS_COMPILE=""
 # CONFIG_COMPILE_TEST is not set
-CONFIG_LOCALVERSION="-170310_23"
+CONFIG_LOCALVERSION="-170308_11"
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_HAVE_KERNEL_GZIP=y
 CONFIG_HAVE_KERNEL_BZIP2=y
@@ -4242,7 +4242,7 @@
 CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_SYMLINKOWN=y
 CONFIG_GRKERNSEC_FIFO=y
-# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
+CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
 # CONFIG_GRKERNSEC_ROFS is not set
 CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
 CONFIG_GRKERNSEC_CHROOT=y
#

And then:
Code: Select all
$ GentooVM22.sh
qemu-img create -f qcow2 gentoo22.img 10G

Formatting 'gentoo22.img', fmt=qcow2 size=10737418240 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
qemu-img: gentoo22.img: Could not create file: Permission denied
WARNING  No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.

Starting install...
Creating domain...                                                             |    0 B  00:00:01     
Domain creation completed.
Restarting guest.
$ ls -l gentoo22.img
-rw-r--r-- 1 qemu qemu 196768 2017-03-10 23:15 gentoo22.img
$

(so it's only because I forgot the delete it)

But my joyous snag is still there... But first...

But first. Just BTW, I slept over, and this is the amount of messages that I can only start to get rid once I learn how to time my script that disables and reenables the exec_logging and the audit_chdir:
Code: Select all
# ls -ltr | tail | grep messages_170311
-rw-r--r-- 1 root    root     30175596 2017-03-11 03:43 messages_170311_0342_g0n
-rw-r--r-- 1 root    root       187519 2017-03-11 03:44 messages_170311_0342_g0n.1
g0n ~ # ls -ltrh | tail | grep messages_170311
-rw-r--r-- 1 root    root     29M 2017-03-11 03:43 messages_170311_0342_g0n
-rw-r--r-- 1 root    root    184K 2017-03-11 03:44 messages_170311_0342_g0n.1
#

All of it is including the syslog of the try with kernel with SYSCTL_RESTRICT enabled. And the .1 is with just this try quarter of an hour ago. The rest is rkhunter, locatedb, mandb and such, writing like mad...

I finally think I learned how to control the use of exec_logging and audit_chdir (not completely if I control it primitively with sleep when I need to disable the logging, pls. see my script at:
< this same topic >
viewtopic.php?f=5&t=4675&start=15#p17004
), but how to grep it to get non-excessive output, while still later be able to tell what executed at which exact line of the derived short syslog.

Here it is in all of its short and mean, unforgiving ugliness, and I'll try and analyze (and interpolate with the long and mean, unforgiving ungliness where needed) in the next post:
# cat messages_170311_0342_g0n.1 | grep -Ev '[0-9][0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9]] grsec:'
Code: Select all
Mar 11 03:28:39 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c gradm -S
Mar 11 03:28:39 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:28:40 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c touch dump_170311_0328_g0n.pcap
Mar 11 03:28:40 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c dumpcap -i any -w dump_170311_0328_g0n.pcap
Mar 11 03:28:43 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:28:43 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: carrier acquired
Mar 11 03:28:44 g0n kernel: [  345.261808] sky2 0000:06:00.0 eth1: Link is up at 100 Mbps, full duplex, flow control both
Mar 11 03:28:44 g0n kernel: [  345.261871] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: IAID 2e:ab:28:71
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: adding address fe80::30b7:84a9:5f50:6486
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: soliciting an IPv6 router
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: rebinding lease of 192.168.1.4
Mar 11 03:28:44 g0n kernel: [  345.570183] mrfw_dropIN=eth1 OUT= MAC=00:0e:2e:ab:28:71:2c:95:7f:8b:44:87:08:00 SRC=192.168.1.1 DST=192.168.1.4 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: leased 192.168.1.4 for infinity
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: adding route to 192.168.1.0/24
Mar 11 03:28:44 g0n dhcpcd[2923]: eth1: adding default route via 192.168.1.1
Mar 11 03:28:44 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:28:44 g0n dnsmasq[4003]: using nameserver 81.2.237.32#53
Mar 11 03:28:44 g0n dnsmasq[4003]: using nameserver 31.14.133.188#53
Mar 11 03:28:44 g0n dnsmasq[4003]: using nameserver 5.9.49.12#53
Mar 11 03:28:45 g0n dhcpcd[2923]: eth1: Router Advertisement from fe80::1
Mar 11 03:28:45 g0n dhcpcd[2923]: eth1: adding default route via fe80::1
Mar 11 03:28:45 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:28:45 g0n dnsmasq[4003]: using nameserver 81.2.237.32#53
Mar 11 03:28:45 g0n dnsmasq[4003]: using nameserver 31.14.133.188#53
Mar 11 03:28:45 g0n dnsmasq[4003]: using nameserver 5.9.49.12#53
Mar 11 03:28:45 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:28:45 g0n dhcpcd[2923]: eth1: requesting DHCPv6 information
Mar 11 03:28:46 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:28:46 g0n dnsmasq[4003]: using nameserver 81.2.237.32#53
Mar 11 03:28:46 g0n dnsmasq[4003]: using nameserver 31.14.133.188#53
Mar 11 03:28:46 g0n dnsmasq[4003]: using nameserver 5.9.49.12#53
Mar 11 03:28:46 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:29:05 g0n kernel: [  365.847681] virbr0: port 2(vnet0) entered blocking state
Mar 11 03:29:05 g0n kernel: [  365.847684] virbr0: port 2(vnet0) entered disabled state
Mar 11 03:29:05 g0n kernel: [  365.847806] device vnet0 entered promiscuous mode
Mar 11 03:29:05 g0n kernel: [  365.853140] virbr0: port 2(vnet0) entered blocking state
Mar 11 03:29:05 g0n kernel: [  365.853144] virbr0: port 2(vnet0) entered listening state
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: waiting for carrier
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: new hardware address: fe:54:00:98:2f:06
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: carrier acquired
Mar 11 03:29:05 g0n kernel: [  365.871017] cgroup: libvirtd (3908) created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future.
Mar 11 03:29:05 g0n kernel: [  365.871021] cgroup: "memory" requires setting use_hierarchy to 1 on the root
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: IAID 00:98:2f:06
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: adding address fe80::9326:ba01:4521:ee7f
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: soliciting an IPv6 router
Mar 11 03:29:05 g0n dhcpcd[2923]: vnet0: soliciting a DHCP lease
Mar 11 03:29:05 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar 11 03:29:05 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar 11 03:29:05 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 11 03:29:07 g0n kernel: [  367.913615] virbr0: port 2(vnet0) entered learning state
Mar 11 03:29:08 g0n kernel: [  369.100959] kvm: zapping shadow pages for mmio generation wraparound
Mar 11 03:29:09 g0n dhcpcd[2923]: virbr0: carrier acquired
Mar 11 03:29:09 g0n kernel: [  369.960661] virbr0: port 2(vnet0) entered forwarding state
Mar 11 03:29:09 g0n kernel: [  369.960666] virbr0: topology change detected, propagating
Mar 11 03:29:09 g0n dhcpcd[2923]: virbr0: IAID 00:ea:ee:e9
Mar 11 03:29:09 g0n dhcpcd[2923]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar 11 03:29:09 g0n dhcpcd[2923]: virbr0: adding address fe80::7e36:b0a1:9718:3d3a
Mar 11 03:29:09 g0n dhcpcd[2923]: if_addaddress6: Permission denied
Mar 11 03:29:09 g0n kernel: [  370.011930] kvm [4863]: vcpu0, guest rIP: 0xffffffff8103a831 unhandled rdmsr: 0xc0010048
Mar 11 03:29:09 g0n kernel: [  370.194165] kvm: zapping shadow pages for mmio generation wraparound
Mar 11 03:29:10 g0n dhcpcd[2923]: virbr0: soliciting a DHCP lease
Mar 11 03:29:10 g0n dhcpcd[2923]: virbr0: soliciting an IPv6 router
Mar 11 03:29:10 g0n dhcpcd[2923]: vnet0: probing for an IPv4LL address
Mar 11 03:29:15 g0n dhcpcd[2923]: virbr0: probing for an IPv4LL address
Mar 11 03:29:15 g0n dhcpcd[2923]: vnet0: using IPv4LL address 169.254.227.232
Mar 11 03:29:15 g0n dhcpcd[2923]: vnet0: adding route to 169.254.0.0/16
Mar 11 03:29:18 g0n dhcpcd[2923]: vnet0: no IPv6 Routers available
Mar 11 03:29:20 g0n dhcpcd[2923]: virbr0: using IPv4LL address 169.254.64.126
Mar 11 03:29:20 g0n dhcpcd[2923]: virbr0: adding route to 169.254.0.0/16
Mar 11 03:29:20 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:29:20 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:29:26 g0n kernel: [  387.229741] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=47409 PROTO=2
Mar 11 03:29:38 g0n dnsmasq-dhcp[4003]: DHCPDISCOVER(virbr0) 52:54:00:98:2f:06
Mar 11 03:29:38 g0n dnsmasq-dhcp[4003]: DHCPOFFER(virbr0) 192.168.122.85 52:54:00:98:2f:06
Mar 11 03:29:38 g0n dnsmasq-dhcp[4003]: ARP-cache injection failed: Operation not permitted
Mar 11 03:29:43 g0n dnsmasq-dhcp[4003]: DHCPDISCOVER(virbr0) 52:54:00:98:2f:06
Mar 11 03:29:43 g0n dnsmasq-dhcp[4003]: DHCPOFFER(virbr0) 192.168.122.85 52:54:00:98:2f:06
Mar 11 03:29:43 g0n dnsmasq-dhcp[4003]: ARP-cache injection failed: Operation not permitted
Mar 11 03:29:50 g0n dnsmasq-dhcp[4003]: DHCPDISCOVER(virbr0) 52:54:00:98:2f:06
Mar 11 03:29:50 g0n dnsmasq-dhcp[4003]: DHCPOFFER(virbr0) 192.168.122.85 52:54:00:98:2f:06
Mar 11 03:29:50 g0n dnsmasq-dhcp[4003]: ARP-cache injection failed: Operation not permitted
Mar 11 03:30:06 g0n dnsmasq-dhcp[4003]: DHCPDISCOVER(virbr0) 52:54:00:98:2f:06
Mar 11 03:30:06 g0n dnsmasq-dhcp[4003]: DHCPOFFER(virbr0) 192.168.122.85 52:54:00:98:2f:06
Mar 11 03:30:06 g0n dnsmasq-dhcp[4003]: ARP-cache injection failed: Operation not permitted
Mar 11 03:30:20 g0n dhcpcd[2923]: vnet0: carrier lost
Mar 11 03:30:20 g0n kernel: [  441.701640] virbr0: port 2(vnet0) entered disabled state
Mar 11 03:30:20 g0n kernel: [  441.701899] device vnet0 left promiscuous mode
Mar 11 03:30:20 g0n kernel: [  441.701903] virbr0: port 2(vnet0) entered disabled state
Mar 11 03:30:20 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:30:20 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:30:20 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:30:20 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:30:20 g0n dhcpcd[2923]: vnet0: deleting address fe80::9326:ba01:4521:ee7f
Mar 11 03:30:20 g0n dhcpcd[2923]: vnet0: deleting route to 169.254.0.0/16
Mar 11 03:30:20 g0n dhcpcd[2923]: vnet0: removing interface
Mar 11 03:30:21 g0n dhcpcd[2923]: virbr0: carrier lost
Mar 11 03:30:21 g0n dhcpcd[2923]: virbr0: deleting route to 169.254.0.0/16
Mar 11 03:30:21 g0n kernel: [  442.306449] virbr0: port 2(vnet0) entered blocking state
Mar 11 03:30:21 g0n kernel: [  442.306454] virbr0: port 2(vnet0) entered disabled state
Mar 11 03:30:21 g0n kernel: [  442.306618] device vnet0 entered promiscuous mode
Mar 11 03:30:21 g0n kernel: [  442.310160] virbr0: port 2(vnet0) entered blocking state
Mar 11 03:30:21 g0n kernel: [  442.310165] virbr0: port 2(vnet0) entered listening state
Mar 11 03:30:21 g0n dhcpcd[2923]: vnet0: waiting for carrier
Mar 11 03:30:21 g0n dhcpcd[2923]: vnet0: carrier acquired
Mar 11 03:30:21 g0n dhcpcd[2923]: vnet0: IAID 00:98:2f:06
Mar 11 03:30:21 g0n dhcpcd[2923]: vnet0: adding address fe80::9326:ba01:4521:ee7f
Mar 11 03:30:21 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar 11 03:30:21 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar 11 03:30:21 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 11 03:30:21 g0n kernel: [  442.755039] sky2 0000:06:00.0 eth1: Link is down
Mar 11 03:30:21 g0n dhcpcd[2923]: eth1: carrier lost
Mar 11 03:30:21 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:30:21 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:30:22 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:30:22 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:30:22 g0n dhcpcd[2923]: eth1: deleting default route via fe80::1
Mar 11 03:30:22 g0n dnsmasq[4003]: no servers found in /etc/resolv.conf, will retry
Mar 11 03:30:22 g0n dhcpcd[2923]: eth1: deleting address fe80::30b7:84a9:5f50:6486
Mar 11 03:30:22 g0n dhcpcd[2923]: eth1: deleting default route via 192.168.1.1
Mar 11 03:30:22 g0n dhcpcd[2923]: eth1: deleting route to 192.168.1.0/24
Mar 11 03:30:22 g0n dhcpcd[2923]: vnet0: soliciting a DHCP lease
Mar 11 03:30:22 g0n dhcpcd[2923]: vnet0: soliciting an IPv6 router
Mar 11 03:30:23 g0n kernel: [  443.881944] sky2 0000:06:00.0 eth1: hung mac 0:74 fifo 74 (48:122)
Mar 11 03:30:23 g0n kernel: [  443.881958] sky2 0000:06:00.0 eth1: receiver hang detected
Mar 11 03:30:23 g0n kernel: [  444.329973] virbr0: port 2(vnet0) entered learning state
Mar 11 03:30:25 g0n kernel: [  446.377988] virbr0: port 2(vnet0) entered forwarding state
Mar 11 03:30:25 g0n kernel: [  446.378026] virbr0: topology change detected, propagating
Mar 11 03:30:25 g0n dhcpcd[2923]: virbr0: carrier acquired
Mar 11 03:30:25 g0n dhcpcd[2923]: virbr0: IAID 00:ea:ee:e9
Mar 11 03:30:25 g0n dhcpcd[2923]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar 11 03:30:25 g0n dhcpcd[2923]: virbr0: soliciting a DHCP lease
Mar 11 03:30:26 g0n dhcpcd[2923]: virbr0: soliciting an IPv6 router
Mar 11 03:30:27 g0n dhcpcd[2923]: vnet0: probing for an IPv4LL address
Mar 11 03:30:30 g0n dhcpcd[2923]: virbr0: probing for an IPv4LL address
Mar 11 03:30:32 g0n dhcpcd[2923]: vnet0: using IPv4LL address 169.254.227.232
Mar 11 03:30:32 g0n dhcpcd[2923]: vnet0: adding route to 169.254.0.0/16
Mar 11 03:30:32 g0n dhcpcd[2923]: vnet0: adding default route
Mar 11 03:30:32 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:30:32 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:30:33 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill 4733 4735
Mar 11 03:30:35 g0n dhcpcd[2923]: vnet0: no IPv6 Routers available
Mar 11 03:30:35 g0n dhcpcd[2923]: virbr0: using IPv4LL address 169.254.64.126
Mar 11 03:30:35 g0n dhcpcd[2923]: virbr0: adding route to 169.254.0.0/16
Mar 11 03:30:35 g0n dhcpcd[2923]: vnet0: deleting default route
Mar 11 03:30:35 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:30:35 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Fri Mar 10, 2017 11:52 pm

I just added:
Code: Select all
if [ -e "gentoo22.img" ]; then
    rm gentoo22.img
fi

right at the top, after the shebang of the script.

(Just, the virsh shutdown, destroy and the undefine lines are as some three or four days ago.)

But before the analysis, there's rechecking if it all works with grsec RBAC disabled, to be able to compare later.

Code: Select all
$ GentooVM22.sh
qemu-img create -f qcow2 gentoo22.img 10G

Formatting 'gentoo22.img', fmt=qcow2 size=10737418240 encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16
WARNING  No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.

Starting install...
Creating domain...                                                             |    0 B  00:00:00
Domain creation completed.
Restarting guest.
$


and, the short and envious, distant bliss left to yearn for:
cat messages_170311_0424_g0n.1 | grep -Ev '[0-9][0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9]] grsec:'
Code: Select all
Mar 11 03:57:34 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c gradm -S
Mar 11 03:57:34 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:57:39 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c touch dump_170311_0357_g0n.pcap
Mar 11 03:57:40 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c dumpcap -i any -w dump_170311_0357_g0n.pcap
Mar 11 03:57:42 g0n kernel: [ 2083.244748] sky2 0000:06:00.0 eth1: Link is up at 100 Mbps, full duplex, flow control both
Mar 11 03:57:42 g0n dhcpcd[2923]: eth1: carrier acquired
Mar 11 03:57:42 g0n dhcpcd[2923]: eth1: IAID 2e:ab:28:71
Mar 11 03:57:42 g0n dhcpcd[2923]: eth1: adding address fe80::30b7:84a9:5f50:6486
Mar 11 03:57:42 g0n dhcpcd[2923]: eth1: soliciting an IPv6 router
Mar 11 03:57:42 g0n dhcpcd[2923]: eth1: rebinding lease of 192.168.1.4
Mar 11 03:57:42 g0n dhcpcd[2923]: eth1: probing address 192.168.1.4/24
Mar 11 03:57:43 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:57:43 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 03:57:43 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:57:43 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:57:43 g0n dhcpcd[2923]: eth1: Router Advertisement from fe80::1
Mar 11 03:57:43 g0n dhcpcd[2923]: eth1: adding default route via fe80::1
Mar 11 03:57:43 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:57:43 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:57:43 g0n dhcpcd[2923]: eth1: requesting DHCPv6 information
Mar 11 03:57:44 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:57:44 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:57:48 g0n dhcpcd[2923]: eth1: leased 192.168.1.4 for infinity
Mar 11 03:57:48 g0n dhcpcd[2923]: eth1: adding route to 192.168.1.0/24
Mar 11 03:57:48 g0n dhcpcd[2923]: eth1: adding default route via 192.168.1.1
Mar 11 03:57:48 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:57:48 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 03:57:48 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 03:57:48 g0n dnsmasq[4003]: using nameserver 81.2.237.32#53
Mar 11 03:57:48 g0n dnsmasq[4003]: using nameserver 31.14.133.188#53
Mar 11 03:57:48 g0n dnsmasq[4003]: using nameserver 5.9.49.12#53
Mar 11 03:57:48 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 03:58:36 g0n kernel: [ 2137.091770] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=47930 PROTO=2
Mar 11 04:00:41 g0n kernel: [ 2262.017951] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=47963 PROTO=2
Mar 11 04:02:46 g0n kernel: [ 2386.923419] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=48000 PROTO=2
Mar 11 04:04:50 g0n kernel: [ 2511.838943] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:24:9e:ab:c9:3d:77:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=48035 PROTO=2
Mar 11 04:06:16 g0n kernel: [ 2596.931432] sky2 0000:06:00.0 eth1: Link is down
Mar 11 04:06:16 g0n dhcpcd[2923]: eth1: carrier lost
Mar 11 04:06:16 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 04:06:16 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 04:06:16 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 04:06:16 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 04:06:16 g0n dhcpcd[2923]: eth1: deleting default route via fe80::1
Mar 11 04:06:16 g0n dnsmasq[4003]: no servers found in /etc/resolv.conf, will retry
Mar 11 04:06:16 g0n dhcpcd[2923]: eth1: deleting address fe80::30b7:84a9:5f50:6486
Mar 11 04:06:16 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 04:06:16 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 04:06:16 g0n dhcpcd[2923]: virbr0: adding default route
Mar 11 04:06:16 g0n dhcpcd[2923]: eth1: deleting default route via 192.168.1.1
Mar 11 04:06:16 g0n dhcpcd[2923]: eth1: deleting route to 192.168.1.0/24
Mar 11 04:06:16 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 04:06:16 g0n dnsmasq[4003]: failed to create listening socket for 169.254.64.126: Permission denied
Mar 11 04:06:26 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 04:06:26 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 04:06:27 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill 5441 5443
Mar 11 04:17:08 g0n dhcpcd[2923]: vnet0: carrier lost
Mar 11 04:17:08 g0n kernel: [ 3248.961063] virbr0: port 2(vnet0) entered disabled state
Mar 11 04:17:08 g0n kernel: [ 3248.961333] device vnet0 left promiscuous mode
Mar 11 04:17:08 g0n kernel: [ 3248.961336] virbr0: port 2(vnet0) entered disabled state
Mar 11 04:17:08 g0n dhcpcd[2923]: vnet0: deleting address fe80::9326:ba01:4521:ee7f
Mar 11 04:17:08 g0n dhcpcd[2923]: vnet0: deleting route to 169.254.0.0/16
Mar 11 04:17:08 g0n dhcpcd[2923]: vnet0: removing interface
Mar 11 04:17:08 g0n dhcpcd[2923]: virbr0: carrier lost
Mar 11 04:17:08 g0n dhcpcd[2923]: virbr0: deleting default route
Mar 11 04:17:08 g0n dhcpcd[2923]: virbr0: deleting route to 169.254.0.0/16
Mar 11 04:19:38 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c gradm -S
Mar 11 04:19:39 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 04:19:39 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c touch dump_170311_0419_g0n.pcap
Mar 11 04:19:39 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c dumpcap -i any -w dump_170311_0419_g0n.pcap
Mar 11 04:19:42 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 04:19:42 g0n sudo:     miro : TTY=pts/14 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Mar 11 04:19:44 g0n kernel: [ 3405.350548] sky2 0000:06:00.0 eth1: Link is up at 100 Mbps, full duplex, flow control both
Mar 11 04:19:44 g0n dhcpcd[2923]: eth1: carrier acquired
Mar 11 04:19:44 g0n dhcpcd[2923]: eth1: IAID 2e:ab:28:71
Mar 11 04:19:44 g0n dhcpcd[2923]: eth1: adding address fe80::30b7:84a9:5f50:6486
Mar 11 04:19:45 g0n dhcpcd[2923]: eth1: rebinding lease of 192.168.1.4
Mar 11 04:19:45 g0n dhcpcd[2923]: eth1: probing address 192.168.1.4/24
Mar 11 04:19:45 g0n dhcpcd[2923]: eth1: soliciting an IPv6 router
Mar 11 04:19:46 g0n dhcpcd[2923]: eth1: Router Advertisement from fe80::1
Mar 11 04:19:46 g0n dhcpcd[2923]: eth1: adding default route via fe80::1
Mar 11 04:19:46 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 04:19:46 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 04:19:46 g0n dhcpcd[2923]: eth1: requesting DHCPv6 information
Mar 11 04:19:46 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 04:19:46 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 04:19:49 g0n dhcpcd[2923]: eth1: leased 192.168.1.4 for infinity
Mar 11 04:19:49 g0n dhcpcd[2923]: eth1: adding route to 192.168.1.0/24
Mar 11 04:19:49 g0n dhcpcd[2923]: eth1: adding default route via 192.168.1.1
Mar 11 04:19:49 g0n dnsmasq[4003]: reading /etc/resolv.conf
Mar 11 04:19:49 g0n dnsmasq[4003]: using nameserver 81.2.237.32#53
Mar 11 04:19:49 g0n dnsmasq[4003]: using nameserver 31.14.133.188#53
Mar 11 04:19:49 g0n dnsmasq[4003]: using nameserver 5.9.49.12#53
Mar 11 04:19:49 g0n dnsmasq[4003]: using nameserver fe80::1%eth1#53
Mar 11 04:19:58 g0n kernel: [ 3419.102885] virbr0: port 2(vnet0) entered blocking state
Mar 11 04:19:58 g0n kernel: [ 3419.102887] virbr0: port 2(vnet0) entered disabled state
Mar 11 04:19:58 g0n kernel: [ 3419.102982] device vnet0 entered promiscuous mode
Mar 11 04:19:58 g0n kernel: [ 3419.113915] virbr0: port 2(vnet0) entered blocking state
Mar 11 04:19:58 g0n kernel: [ 3419.113919] virbr0: port 2(vnet0) entered listening state
Mar 11 04:19:58 g0n dhcpcd[2923]: vnet0: waiting for carrier
Mar 11 04:19:58 g0n dhcpcd[2923]: vnet0: carrier acquired
Mar 11 04:19:58 g0n dhcpcd[2923]: vnet0: IAID 00:6c:f4:37
Mar 11 04:19:58 g0n dhcpcd[2923]: vnet0: adding address fe80::f81a:88e4:ce5e:48d9
Mar 11 04:19:58 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar 11 04:19:58 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar 11 04:19:58 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 11 04:19:58 g0n dhcpcd[2923]: vnet0: soliciting an IPv6 router
Mar 11 04:19:58 g0n dhcpcd[2923]: vnet0: soliciting a DHCP lease
Mar 11 04:20:00 g0n kernel: [ 3421.148806] virbr0: port 2(vnet0) entered learning state
Mar 11 04:20:00 g0n kernel: [ 3421.175268] kvm: zapping shadow pages for mmio generation wraparound
Mar 11 04:20:01 g0n kernel: [ 3422.064059] kvm [6062]: vcpu0, guest rIP: 0xffffffff8103a831 unhandled rdmsr: 0xc0010048
Mar 11 04:20:01 g0n kernel: [ 3422.240860] kvm: zapping shadow pages for mmio generation wraparound
Mar 11 04:20:02 g0n kernel: [ 3423.196842] virbr0: port 2(vnet0) entered forwarding state
Mar 11 04:20:02 g0n kernel: [ 3423.196864] virbr0: topology change detected, propagating
Mar 11 04:20:02 g0n dhcpcd[2923]: virbr0: carrier acquired
Mar 11 04:20:02 g0n dhcpcd[2923]: virbr0: IAID 00:ea:ee:e9
Mar 11 04:20:02 g0n dhcpcd[2923]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar 11 04:20:02 g0n dhcpcd[2923]: virbr0: soliciting a DHCP lease
Mar 11 04:20:03 g0n dhcpcd[2923]: virbr0: soliciting an IPv6 router
Mar 11 04:20:03 g0n dhcpcd[2923]: vnet0: probing for an IPv4LL address
Mar 11 04:20:07 g0n dhcpcd[2923]: virbr0: probing for an IPv4LL address
Mar 11 04:20:09 g0n dhcpcd[2923]: vnet0: using IPv4LL address 169.254.45.50
Mar 11 04:20:09 g0n dhcpcd[2923]: vnet0: adding route to 169.254.0.0/16
Mar 11 04:20:12 g0n dhcpcd[2923]: vnet0: no IPv6 Routers available
Mar 11 04:20:12 g0n dhcpcd[2923]: virbr0: using IPv4LL address 169.254.64.126
Mar 11 04:20:12 g0n dhcpcd[2923]: virbr0: adding route to 169.254.0.0/16
Mar 11 04:20:24 g0n kernel: [ 3445.482410] mrfw_pingIN= OUT=virbr0 SRC=192.168.122.1 DST=192.168.122.29 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=18375 DF PROTO=ICMP TYPE=8 CODE=0 ID=62380 SEQ=0
Mar 11 04:20:27 g0n dnsmasq-dhcp[4003]: DHCPDISCOVER(virbr0) 52:54:00:6c:f4:37
Mar 11 04:20:27 g0n dnsmasq-dhcp[4003]: DHCPOFFER(virbr0) 192.168.122.29 52:54:00:6c:f4:37
Mar 11 04:20:27 g0n dnsmasq-dhcp[4003]: DHCPREQUEST(virbr0) 192.168.122.29 52:54:00:6c:f4:37
Mar 11 04:20:27 g0n dnsmasq-dhcp[4003]: DHCPACK(virbr0) 192.168.122.29 52:54:00:6c:f4:37 livecd
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: carrier lost
Mar 11 04:20:57 g0n kernel: [ 3478.160307] virbr0: port 2(vnet0) entered disabled state
Mar 11 04:20:57 g0n kernel: [ 3478.160541] device vnet0 left promiscuous mode
Mar 11 04:20:57 g0n kernel: [ 3478.160545] virbr0: port 2(vnet0) entered disabled state
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: deleting address fe80::f81a:88e4:ce5e:48d9
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: deleting route to 169.254.0.0/16
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: removing interface
Mar 11 04:20:57 g0n dhcpcd[2923]: virbr0: carrier lost
Mar 11 04:20:57 g0n dhcpcd[2923]: virbr0: deleting route to 169.254.0.0/16
Mar 11 04:20:57 g0n kernel: [ 3478.546042] virbr0: port 2(vnet0) entered blocking state
Mar 11 04:20:57 g0n kernel: [ 3478.546054] virbr0: port 2(vnet0) entered disabled state
Mar 11 04:20:57 g0n kernel: [ 3478.546384] device vnet0 entered promiscuous mode
Mar 11 04:20:57 g0n kernel: [ 3478.550722] virbr0: port 2(vnet0) entered blocking state
Mar 11 04:20:57 g0n kernel: [ 3478.550733] virbr0: port 2(vnet0) entered listening state
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: waiting for carrier
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: carrier acquired
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: IAID 00:6c:f4:37
Mar 11 04:20:57 g0n dhcpcd[2923]: vnet0: adding address fe80::f81a:88e4:ce5e:48d9
Mar 11 04:20:57 g0n qemu-system-x86_64: SQL engine 'mysql' not supported
Mar 11 04:20:57 g0n qemu-system-x86_64: auxpropfunc error no mechanism available
Mar 11 04:20:57 g0n qemu-system-x86_64: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 11 04:20:58 g0n dhcpcd[2923]: vnet0: soliciting an IPv6 router
Mar 11 04:20:58 g0n dhcpcd[2923]: vnet0: soliciting a DHCP lease
Mar 11 04:20:59 g0n kernel: [ 3480.605822] virbr0: port 2(vnet0) entered learning state
Mar 11 04:20:59 g0n kernel: [ 3480.811904] sky2 0000:06:00.0 eth1: Link is down
Mar 11 04:20:59 g0n dhcpcd[2923]: eth1: carrier lost

IOW, the old (only a few days old) conclusion still stands: it's to do with grsec (to do, not to blame on) that I can't get connected when libvirt does its job under grsec RBAC.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: Libvirt virtualization policies

Postby timbgo » Tue Mar 14, 2017 10:07 am

I'm not idling. I'm not giving up. I'm not letting any program disallow to me the use of grsec RBAC ("disallow" in broad meaning of the word, not literally of course).
But I'm a non-programmer that needs to do some --primitive-- programming to get a clearer insight into what might be the cause to this issue that's left.
Here is just a little more of my analysis (on the most recent try on 03/11/2017:
http://www.croatiafidelis.hr/foss/cap/c ... irt-grsec/
But more I need to do... It'll be useful to me in the future though, to ease analysis of traces and syslog, by putting them choice excerpts of one and the other at same place in a text file, by timestamp, for comparison.
Bear with me.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

PreviousNext

Return to RBAC policy development