首頁 » kvm

seclabel(apparmor)

由 datahunter 在 六, 16/03/2019 - 21:08 發表

最後更新: 2022-01-10

目錄

  • XML Setting
  • Template
  • Debian 10 libvirt apparmor
  • 被 Deny 了

     

XML Setting

 

[1]

<seclabel type='dynamic' model='apparmor' relabel='yes'/>

[2]

<seclabel type='none'/>

[3]

<seclabel type='static' model='selinux' relabel='no'>
  <label>...</label>
<seclabel/>

Type

  • 'dynamic'  # libvirt automatically generates a unique security label
  • 'static'       # administrator chooses the labels,
  • 'none'        #confinement is disabled.

model

  • SELinux: SELinux context.
  • AppArmor: an AppArmor profile.
  • DAC: owner and group separated by colon.

relabel

  • This must always be yes if dynamic label assignment is used.
  • With static label assignment it will default to no.

label

If static labelling is used, this must specify the full security label to assign to the virtual domain.

Usage

<domain type='kvm'>
    ...
    <seclabel type='dynamic' model='apparmor' relabel='yes'/>
</domain>

 

Template

 

# 什麼 Package 提供 template

dpkg -S /etc/apparmor.d/libvirt/TEMPLATE.qemu

libvirt-bin: /etc/apparmor.d/libvirt/TEMPLATE.qemu

# 某 Guest 用了那 template

ps aux | grep seafile

libvirt+ 14304 ...

apparmor_status  | grep 14304

libvirt-0e3b5fe3-dfb6-43ed-ab06-a81d0b363dd2 (14304)

virsh domuuid seafile

0e3b5fe3-dfb6-43ed-ab06-a81d0b363dd2

 

Debian 10 libvirt apparmor

 

The apparmor rules for a guest will consist of multiple elements:

  • static part
  • dynamic part       # Default

A static part that all guests share(libvirt-daemon package)

/etc/apparmor.d/abstractions/libvirt-qemu

A dynamic part created at guest start time, modified on hotplug/unplug, delete on instance power-off

/etc/apparmor.d/libvirt/libvirt-UUID.files

"/mnt/raid/rockylinux/data2.raw" rwk,
"/mnt/raid/rockylinux/data1.raw" rwk,

P.S.

行 "qemu-monitor-command rocky8 --hmp device_del scsi0-0-0-2" 後會無左 '"/mnt/raid/rockylinux/data2.raw" rwk,'

/usr/lib/libvirt/virt-aa-helper

a helper program which the libvirtd daemon uses instead of manipulating AppArmor directly

 

被 Deny 了

 

執行

MyDisk=/mnt/raid/rockylinux/data2.raw

virsh qemu-monitor-command rocky8 --hmp drive_add 0 file=${MyDisk},format=raw,if=none,id=drive-scsi0-0-0-2

Could not open '/mnt/raid/rockylinux/data2.raw': Permission denied

[Step 1] File Permission

chown libvirt-qemu:kvm data2.raw

chmod 660 data2.raw

[Step 2] Apparmor

grep "apparmor" /var/log/syslog | grep libvirt-

aa-status | grep libvirt-

/etc/apparmor.d/libvirt/libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b

#include <tunables/global>

profile libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b flags=(attach_disconnected) {
  #include <abstractions/libvirt-qemu>
  #include <libvirt/libvirt-57383799-7e79-4b1d-918d-4b39ebacb72b.files>
  "/mnt/raid/rockylinux/data[1-9].raw" rwk,
}

 

 

 

 

 

»
  • 瀏覽次數: 1295