Page 4 of 4

Re: Libvirt virtualization policies

PostPosted: Sun Apr 02, 2017 7:02 am
by timbgo
I reread the entire topic, preparing for another attempt to solve the issue.
In reareading, I corrected the (misleading) errors that I noticed. You can see where I corrected, in four places [2], because they are all marked with a string beginning with "EDIT 2017-04-02 12"
as well as in the bottom automatically with the timestamp beginning with "Sun Apr 02, 2017 6".

The scripts that I mentioned in the latest posts, and which I will use to get a textual in-one-place comparison of the lines from the network trace and the syslog lines is only half done... I had only a few days for that in the time since I last wrote here...

But I'm still unsure what to try next. Probably either doing a few similar tests first, or, since the cause could perfectly lie with Libvirt, maybe try reinstalling Libvirt in slightly different way... ?

Why could it lie with Libvirt? Because it already happened:

=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests

That bug has cause headaches for lots of people, and it turned out it was resolved after disabling "CONFIG_GRKERNSEC_SYSFS_RESTRICT"... It could be some such story preventing my Libvirt under grsec to get the networking done... And could there be things to install differently regarding the network functionality in Libvirt, maybe... ?

But in the meantime, I'm perfectly able to run Virtual Machines under Qemu, and so, this even isn't a pressing issue to me... An itching issue it is... I'd like to solve it very much, don't misunderstand me!

I'll gladly consider any ideas anyone has in this respect!

Miroslav Rovis
Zagreb, Croatia
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
[2] five places, the last, search strings: "EDIT 2017-04-02 16" "Sun Apr 02, 2017 10"

Re: Libvirt virtualization policies

PostPosted: Wed Apr 05, 2017 12:09 pm
by timbgo
I have made more, new, versions of my /etc/grsec/policy, and probably got Qemu and Tcpdump sorted, but not Libvirt programs in them.
See for yourself:
Qemu RBAC policies (& libvirt & tcpdump...)