Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This is an old revision of the document!
- Back to igraltist's experiences - - - -
-
- ; - ; RSBAC JAIL definition for kvm - ; 20080507 - ; - ; Tested by igraltist - ; - - "" - "0.0.0.0" - (allow-dev-read - allow-dev-write - allow-ipc-syslog - allow-ipc-parent - allow-inet-raw - allow-all-net-family) - (net-raw - setgid - setuid - dac-override - net-admin - dac-read-search - sys-resource - sys-module) - () - (rlimit) -
- - - - - - - -
===== start kvm-guest =====
- See on this example kvm-guest-config the content from file. - -
- kvm-admin start example - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) - [Errno 2] No such file or directory: '/vmserver/qemu.img' - Using already existing Tap device. - Setting up tun-tap-device, done .... - The follow command would be executing: - ['run-jail', 'kvm', '/usr/local/kvm/72/bin/qemu-system-x86_64', '-cdrom', '/usr/src/ISOS/debian-40r3-i386-netinst.iso', '-net', 'nic,vlan=0,macaddr=A9:B9:C9:D9:E9:F0,model=rtl8139', '-net', 'tap,vlan=0,ifname=iface_test,script=/etc/kvm/scripts/kvm-dmz-ifup', '-vnc', ':4', '-m', '265', '-boot', 'd', '-k', 'en-us', '-pidfile', '/var/run/kvm/example.pid', '-smp', '2', '-L', '/usr/local/kvm/72/share/qemu', '-usb', '-usbdevice', 'tablet', '-name', 'example', '-no-fd-bootchk', '-daemonize', '-std-vga', '-localtime'] -
-
- Now I start a guest.
-
- kvm-admin start vserver - uid=1003(kvm) gid=1003(kvm) Gruppen=1003(kvm),6(disk),85(usb) - SIOCSIFADDR: Die Operation ist nicht erlaubt - SIOCSIFFLAGS: Die Operation ist nicht erlaubt - SIOCSIFFLAGS: Die Operation ist nicht erlaubt - SIOCSIFFLAGS: Die Operation ist nicht erlaubt - can't add vserver to bridge eth1: Operation not permitted - (if it already there: device vserver is already a member of a bridge; can't enslave it to bridge eth1.) -
-
- If we must add the tap-device = vserver manually to the bridge.
- In the example is the bridge name dmz_bridge and the tun-tap device name is vserver.
-
- brctl addif dmz_bridge vserver
- ifconfig vserver up
-
- - This I see in the rsbac-log, but the guest is running. -
- <6>0000001281|rsbac_adf_request(): request BIND, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL - <6>0000001282|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL - <6>0000001283|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL - <6>0000001284|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3706, ppid 3705, prog_name ifconfig, prog_file /sbin/ifconfig, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid vserver, attr none, value none, result NOT_GRANTED by JAIL - <6>0000001285|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 3707, ppid 3705, prog_name brctl, prog_file /sbin/brctl, uid 0, audit uid 1003, remote ip 192.168.1.5, target_type NETDEV, tid eth1, attr none, value none, result NOT_GRANTED by JAIL -
- - - - - -
===== show-jail-info =====
- Do this: -
cat /proc/rsbac-info/jail
-
- or you can use this:
- http://svn.kasten-edv.de/svn/rsbac/trunk/bin/ps-jail.py
-
- I get this output. Its very similar to the above.
-
-
- ./ps-jail.py - Loading Jail info for Processes, done. - -------------------------------------------------------------------------------- - Processname Pid Jail-ID Flags Max-caps SCD-get SCD-mod Jail-IP - ntpd 7337 7 1539 50349250 0 6291491 0.0.0.0 - dmeventd 7281 6 1537 -1 0 2113536 0.0.0.0 - cupsd 7103 3 1546 -1 0 32 0.0.0.0 - dhcpd 7224 5 67083 271555 0 0 0.0.0.0 - pickup 3286 8 67073 -1 0 32 0.0.0.0 - qemu-system-x86 3704 28 71178 16855238 0 32 0.0.0.0 - master 7441 8 67073 -1 0 32 0.0.0.0 - smbd 7560 10 1538 17302752 0 32 0.0.0.0 - qemu-system-x86 29614 26 71178 16855238 0 32 0.0.0.0 - qmgr 7448 8 67073 -1 0 32 0.0.0.0 - nmbd 7561 11 1538 17302752 0 32 0.0.0.0 - syslog-ng 11370 13 40448 -1 0 0 0.0.0.0 - cron 11428 14 71168 -1 0 32 0.0.0.0 - pdnsd 12945 16 71176 17310912 262144 16416 0.0.0.0 - qemu-system-x86 25748 23 71178 16855238 0 32 0.0.0.0 - qemu-system-x86 26053 24 71178 16855238 0 32 0.0.0.0 - portmap 6242 2 1537 -1 0 0 0.0.0.0 - smbd 7556 10 1538 17302752 0 32 0.0.0.0 - -------------------------------------------------------------------------------- - It took 0.94s seconds. -
- Fixme: convert numbers in readable names. - - Top - -