I recently built a system with 32GB of ram, intel core i7 3770K CPU at 3.5 GHz along 2 TB of disk space. I tried to load the KVM but it failed. I went to BIOS and disable "Trusted Execution”. I enable cpu virtulization and rebooted the machine. Now, I have finest and greatest available on my finger print...
----------------- detail below ------------------
[root@my32GB Packages]# virt-manager
Error polling connection 'qemu:///system': internal error Cannot find suitable emulator for x86_64
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/engine.py", line 440, in _tick
conn.tick()
File "/usr/share/virt-manager/virtManager/connection.py", line 1422, in tick
newNets, self.nets) = self._update_nets()
File "/usr/share/virt-manager/virtManager/connection.py", line 1285, in _update_nets
lookup_func, build_class)
File "/usr/share/virt-manager/virtManager/connection.py", line 1217, in _poll_helper
if not check_support():
File "/usr/share/virt-manager/virtManager/connection.py", line 509, in is_network_capable
virtinst.support.SUPPORT_CONN_NETWORK)
File "/usr/lib/python2.6/site-packages/virtinst/support.py", line 574, in check_conn_support
return _check_support(conn, feature, conn)
File "/usr/lib/python2.6/site-packages/virtinst/support.py", line 443, in _check_support
actual_drv_ver = _hv_ver(conn, uri)
File "/usr/lib/python2.6/site-packages/virtinst/support.py", line 376, in _hv_ver
ret = cmd(*args)
File "/usr/lib64/python2.6/site-packages/libvirt.py", line 3192, in getVersion
if ret == -1: raise libvirtError ('virConnectGetVersion() failed', conn=self)
libvirtError: internal error Cannot find suitable emulator for x86_64
[root@my32GB Packages]# grep -i kvm /var/log/messages | more
Jan 16 05:49:10 my32GB kernel: kvm: disabled by bios
Jan 16 21:53:28 my32GB kernel: kvm: disabled by bios
Jan 17 18:03:49 my32GB kernel: kvm: disabled by bios
Jan 17 20:17:32 my32GB kernel: kvm: disabled by bios
=====================================
RHEL 6 virtualization
KVM - Kernel-based Virtualization Machine (Hypervisor)
QEMU - Processor emulator
RHEL 6 only supports virtualization via KVM/QEMU, and
only on 64bit systems supporting virtualization extensions
Intel: Intel VT ( flag: vmx ) -Virtual Machine x86 (VT-x)
AMD: AMD-V ( flag: svm - secure virtual machine )
$ grep flags /proc/cpuinfo
PACKAGES
There are four package groups available to install the
necessary and ancillary software to support virtualization.
Virtualization
Virtualization Client
Virtualization Platform
Virtualization Tools
LIBVIRT
libvirt is the management framework used in RHEL 6
virtualization.
The libvirtd daemon will always be running in the
background to handle virtualization needs and management
requests such as starting, stopping, installing, etc.
Interface to libvirt is provided by:
virsh - command line client
virt-manager - GUI client
LAB
1. Create a VM on your machine using the RHEL 6 i386
sources available on server1.
2. Make sure the guest starts on host reboot.
INSTALL RED HAT ENTERPRISE LINUX AUTOMATICALLY USING KICKSTART
Use kernel boot options:
linux ks=ftp/http://host/ks.cfg
linux ks=nfs:host:/ks.cfg
linux ks=cdrom:/dev/dir/ks.cfg
linux ks=hd:/dev/dir/ks.cfg
linux ks=file:/dev/dir/ks.cfg
1. Install, Deploy and maintain the OS
setup virt-manager and install OS
1. Check if virtd is running.
# /etc/init.d/libvirtd status
# /etc/init.d/libvirtd start
# /etc/init.d/libvirtd status
libvirtd (pid 3429) is running...
# chkconfig libvirtd on# chkconfig libvirtd --list
libvirtd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
2. Run the virt-manager
GUI:- Application -->> System Tools -->> Virtual Machine Manager
CLI: virt-manager &
3. You will see a Virtual Machine Manager window with Computer icon on the left.
a. Click on the icon
b. On New VM window, enter Virtual Machine details like Name, how you like to install (local, network, pxe or import existing disk image)
c. Make your selection, I would pick local media option.
4. Click Forward and specify your CDROM or ISO Image location.
Also specify the OS type and version (I have ISO)
5. Click forward and specify the Memory and CPU information. (2GB, 2 CPU)
6. Click Forward and Specify disk space.
a. Check Enable storage for this virtual machine
b. Specify the disk image size ( I would pick 20GB)
c. Check allocate entire disk ..
7. Click Forward and Click on Advanced options
a. select your network type (NAT/Bridge) I select bridge network.
b. Check Set a fixed Mac Address
c. Select Virt Type: kvm (There is qemu too)and Architecture: x86_64
8. Now Click finish. Installation begins.
-------------------------------------------------
Virtual Machine Text Console
With libguestfs-tools installed and the VM in question shut-down, from the host:
# virt-edit {VMname} /boot/grub/menu.lst
append to following entry below at the kernel line:
console=tty0 console=ttyS0
After saving, the following commands should allow a console based view
of the boot process and a console login:
# virsh start {VMname} ; virsh console {VMname} : ^] to disconnect from console.
Start and stop virtual machines.
# virsh start <vm name>
# virsh shutdown <vm name> : Graceful shutdown
# virsh destroy <vm name> : Power off virtual machine.
# virsh autostart <vm name> : Start vm at boot.
------------------------------------------------------
Virtual Machines using KVM
To install with prompt
#virt-install --prompt
List virtual machine
#virsh list
Stop virtual machine
#virsh destroy <vm name>
Configure VM autostart
#virsh autostart <vm name>
Unconfigure VM autostart
#virsh autostart --disable <vm name>
To install
#virt-install --name=ramsing.expanor.local -r 768 --disk path=/var/lib/libvirt/images/ramsing.expanor.local.img,size=8 -l http://192.168.10.110/pub/inst -x "ks=http://192.168.10.110/pub/ks/rhel03.cfg"
============================================
KVM - Command Line Administration
1. Install a virtual machine using virt-install command.
# virt-install \
--name TESTSERV1 \
--ram 500 \
--vcpus=2 \
--network network=default \
--os-variant RHEL6
2. Clone a virtual guest use virt-clone command
# virt-clone --original TESTEERV1 --name TESTSERV2 --file /var/lib/libvirt/images/TESTSERV2.img --mac 00:50:56:98:70:0B
Note: You may get networ error or interface is not available , google to fix it.
3. List the currently installed KVM guests virsh list --all command (or Type # virsh and type list -all)
# virsh list --all
Id Name State
----------------------------------------------------
18 TESTSERV2 running
19 TESTSERV1 running
- TESTSERV2 shut off
Note: virt-inspector will show the OS version, kernel version, mount point and installed drivers.
# virt-inspector DOMAIN
4. Check the CPU/Memory Utilization
# virt-top
virt-top 14:49:49 - x86_64 2/2CPU 3400MHz 1751MB
3 domains, 2 active, 2 running, 0 sleeping, 0 paused, 1 inactive D:0 O:0 X:0
CPU: 1.5% Mem: 1536 MB (1536 MB by guests)
ID S RDRQ WRRQ RXBY TXBY %CPU %MEM TIME NAME
19 R 0 0 12K 0 1.1 29.0 7:14.45 TESTSERV1
18 R 0 0 184 0 0.3 58.0 2:39.18 TESTSERV3
- (TESTSERV2)
5. Check the directory contents of a guest machine
# virt-ls -l -a /Virtual/TESTSERV1.img /root
total 80
dr-xr-x---. 3 root root 4096 Jun 28 05:21 .
dr-xr-xr-x. 25 root root 4096 Jun 28 07:19 ..
-rw------- 1 root root 420 Jun 28 09:17 .bash_history
-rw-r--r--. 1 root root 18 May 20 2009 .bash_logout
-rw-r--r--. 1 root root 176 May 20 2009 .bash_profile
-rw-r--r--. 1 root root 176 Sep 23 2004 .bashrc
-rw-r--r--. 1 root root 100 Sep 23 2004 .cshrc
drwx------ 2 root root 4096 Jun 24 05:22 .ssh
-rw-r--r--. 1 root root 129 Dec 4 2004 .tcshrc
-rw-------. 1 root root 1364 Jun 24 04:40 anaconda-ks.cfg
-rw-r--r--. 1 root root 26876 Jun 24 04:39 install.log
-rw-r--r--. 1 root root 7572 Jun 24 04:38 install.log.syslog
6. List the content of a file of a Guest machine.
# virt-cat -d TESTSERV1 /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=TESTSER1
7. Check mount point and FS utilization.
# virt-df -h -d TESTSERV1
Filesystem Size Used Available Use%
TESTSERV1:/dev/sda1 193M 28M 155M 15%
TESTSERV1:/dev/OSVG/lvroot 7.7G 1.7G 5.6G 23%
8. List the partition, FS, LVM info of a guest OS. (#virt-filesystems -d DOMAIN)
# virt-filesystems -d TEST-LINUX1 --long --all
Name Type VFS Label MBR Size Parent
/dev/sda1 filesystem ext4 - - 524288000 -
/dev/VolGroup/lv_root filesystem ext4 - - 10242490368 -
/dev/VolGroup/lv_swap filesystem swap - - 2113929216 -
/dev/VolGroup/lv_root lv - - - 10242490368 /dev/VolGroup
/dev/VolGroup/lv_swap lv - - - 2113929216 /dev/VolGroup
/dev/VolGroup vg - - - 12356419584 -
/dev/sda2 pv - - - 12356419584 -
/dev/sda1 partition - - 83 524288000 /dev/sda
/dev/sda2 partition - - 8e 12359565312 /dev/sda
/dev/sda device - - - 12884901888 -
9. Copy the guest file/directory content. (# virt-copy-out -d DOMAIN /file|dir localdir)
# virt-copy-out -d TESTSERV1 /root/testfile.txt /root
10 Copy file/directory from host server to guest OS (# virt-copy-in -d domain file|dir /destination)
# virt-copy-in -d TESTSERV1 /root/testerfile1.txt /root/
Note: Using "virt-copy-in" on live virtual machines can be dangerous, potentially causing disk corruption. The virtual machine must be shutdown before you use this command.
11. To edit file of KVM guest OS. (# virt-edit -d DOMAIN filename)
# virt-edit -b .orig -d TEST-LINUX1 /root/testfile.txt
Use -b option to make a backup of original file.
Note: Using "virt-edit" on live virtual machines can be dangerous, potentially causing disk corruption. The virtual machine must be shutdown before you use this command.
There are lots of other command line tools to administer KVM virtual machines on RHEL6.
=================================================
ACCESS A VIRTUAL MACHINE'S CONSOLE
virt-manager
OR virt-viewer
OR:
1. virsh vncdisplay domain
2. vncviewer localhost:display
START AND STOP VIRTUAL MACHINES
virt-manager
OR:
1. virsh start domain
2. virsh shutdown domain
======================================
List and identify SELinux file and process context.
View SELinux contexts of processes:
# ps -eZ, ps -axZ, ps -Zc <process name>, etc.
View SELinux contexts of files and directories:
# ls -Zd /path/to/dir/, ls -Z /path/to/file, etc.
View SELinux contexts of users:
id -Z
Policy context rules are stored in
/etc/selinux/targeted/context/files/file_contexts and
/etc/selinux/targeted/context/files/file_contexts.local
# semanage fcontext -[a|d|m] -f <ftype> -t <context> ‘<regex>’
e.g.: semanage fcontext -a -t virt_image_t “/virtstorage(/.*)?”
Restore default file contexts.
# restorecon -R -v /dir/ : note the last slash. -R = recursive (all child files and directories) -v = verbose.
Use boolean settings to modify system SELinux settings.
- Booleans are plain text files located in /selinux/booleans
- semanage boolean -l : List booleans with basic descriptions (very useful with grep)
- setsebool [-P] <boolean_name> : set SE boolean, -P to make permanent (survive reboot)
- Use the graphical tool: system-config-selinux
- Diagnose and address routine SELinux policy violations.
Many targeted services have specialised man pages dealing with SELinux configuration.
Display these pages with:
# man -k ‘_selinux’
Installing setroubleshoot-server sends SELinux error messages to /var/log/messages. These can be further parsed with sealert.
audit2why and audit2allow can be used to parse the messages in /var/log/audit/audit.log and explain why access was denied, and how to modify your configuration to allow it.
# semanage port -l : list SELinux port settings.
SELinux Packages and utilities
coreutils : Always installed. Provides some default elements of SELinux.
policycoreutils : Provides restorecon, secon, setfiles, et al.
libselinux-utils : Provides getenforce, setenforce, getsebool, setsebool, et al.
policycoreutils-gui : Provides system-config-selinux and sepolgen, et al.
policycoreutils-python : Provides semanage, audit2allow, audit2why, et al.
setroubleshoot : Provides seapplet
setroubleshoot-server : Provides sealert, sedispatch, setroubleshootd, et al.
==========================
SET ENFORCING AND PERMISSIVE MODES FOR SELINUX
Persistent change:
/etc/selinux/config:
SELINUX=enforcing|permissiveCurrent session:
Non persistent change:
setenforce 1|0|enforcing|permissive
VIEW SELINUX STATUS:
Sestatus
LIST AND IDENTIFY SELINUX FILE AND PROCESS CONTEXT
ls -lZ
ps -efZ
RESTORE DEFAULT FILE CONTEXTS
restorecon -R*file
USE BOOLEAN SETTINGS TO MODIFY SYSTEM SELINUX SETTINGS
View booleans:
getsebool -a | grep keyword
OR*semanage boolean -l | grep keyword
Change booleans:
setsebool -P boolean on|off
DIAGNOSE AND ADDRESS ROUTINE SELINUX POLICY VIOLATIONS
Diagnose:
/var/log/audit/audit.log
/var/log/messages
view service logs
sealert
Fix:
audit2allow
setsebool -P boolean on|off
========================
----------------- detail below ------------------
[root@my32GB Packages]# virt-manager
Error polling connection 'qemu:///system': internal error Cannot find suitable emulator for x86_64
Traceback (most recent call last):
File "/usr/share/virt-manager/virtManager/engine.py", line 440, in _tick
conn.tick()
File "/usr/share/virt-manager/virtManager/connection.py", line 1422, in tick
newNets, self.nets) = self._update_nets()
File "/usr/share/virt-manager/virtManager/connection.py", line 1285, in _update_nets
lookup_func, build_class)
File "/usr/share/virt-manager/virtManager/connection.py", line 1217, in _poll_helper
if not check_support():
File "/usr/share/virt-manager/virtManager/connection.py", line 509, in is_network_capable
virtinst.support.SUPPORT_CONN_NETWORK)
File "/usr/lib/python2.6/site-packages/virtinst/support.py", line 574, in check_conn_support
return _check_support(conn, feature, conn)
File "/usr/lib/python2.6/site-packages/virtinst/support.py", line 443, in _check_support
actual_drv_ver = _hv_ver(conn, uri)
File "/usr/lib/python2.6/site-packages/virtinst/support.py", line 376, in _hv_ver
ret = cmd(*args)
File "/usr/lib64/python2.6/site-packages/libvirt.py", line 3192, in getVersion
if ret == -1: raise libvirtError ('virConnectGetVersion() failed', conn=self)
libvirtError: internal error Cannot find suitable emulator for x86_64
[root@my32GB Packages]# grep -i kvm /var/log/messages | more
Jan 16 05:49:10 my32GB kernel: kvm: disabled by bios
Jan 16 21:53:28 my32GB kernel: kvm: disabled by bios
Jan 17 18:03:49 my32GB kernel: kvm: disabled by bios
Jan 17 20:17:32 my32GB kernel: kvm: disabled by bios
=====================================
RHEL 6 virtualization
KVM - Kernel-based Virtualization Machine (Hypervisor)
QEMU - Processor emulator
RHEL 6 only supports virtualization via KVM/QEMU, and
only on 64bit systems supporting virtualization extensions
Intel: Intel VT ( flag: vmx ) -Virtual Machine x86 (VT-x)
AMD: AMD-V ( flag: svm - secure virtual machine )
$ grep flags /proc/cpuinfo
PACKAGES
There are four package groups available to install the
necessary and ancillary software to support virtualization.
Virtualization
Virtualization Client
Virtualization Platform
Virtualization Tools
LIBVIRT
libvirt is the management framework used in RHEL 6
virtualization.
The libvirtd daemon will always be running in the
background to handle virtualization needs and management
requests such as starting, stopping, installing, etc.
Interface to libvirt is provided by:
virsh - command line client
virt-manager - GUI client
LAB
1. Create a VM on your machine using the RHEL 6 i386
sources available on server1.
2. Make sure the guest starts on host reboot.
INSTALL RED HAT ENTERPRISE LINUX AUTOMATICALLY USING KICKSTART
Use kernel boot options:
linux ks=ftp/http://host/ks.cfg
linux ks=nfs:host:/ks.cfg
linux ks=cdrom:/dev/dir/ks.cfg
linux ks=hd:/dev/dir/ks.cfg
linux ks=file:/dev/dir/ks.cfg
1. Install, Deploy and maintain the OS
setup virt-manager and install OS
1. Check if virtd is running.
# /etc/init.d/libvirtd status
# /etc/init.d/libvirtd start
# /etc/init.d/libvirtd status
libvirtd (pid 3429) is running...
# chkconfig libvirtd on# chkconfig libvirtd --list
libvirtd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
2. Run the virt-manager
GUI:- Application -->> System Tools -->> Virtual Machine Manager
CLI: virt-manager &
3. You will see a Virtual Machine Manager window with Computer icon on the left.
a. Click on the icon
b. On New VM window, enter Virtual Machine details like Name, how you like to install (local, network, pxe or import existing disk image)
c. Make your selection, I would pick local media option.
4. Click Forward and specify your CDROM or ISO Image location.
Also specify the OS type and version (I have ISO)
5. Click forward and specify the Memory and CPU information. (2GB, 2 CPU)
6. Click Forward and Specify disk space.
a. Check Enable storage for this virtual machine
b. Specify the disk image size ( I would pick 20GB)
c. Check allocate entire disk ..
7. Click Forward and Click on Advanced options
a. select your network type (NAT/Bridge) I select bridge network.
b. Check Set a fixed Mac Address
c. Select Virt Type: kvm (There is qemu too)and Architecture: x86_64
8. Now Click finish. Installation begins.
-------------------------------------------------
Virtual Machine Text Console
With libguestfs-tools installed and the VM in question shut-down, from the host:
# virt-edit {VMname} /boot/grub/menu.lst
append to following entry below at the kernel line:
console=tty0 console=ttyS0
After saving, the following commands should allow a console based view
of the boot process and a console login:
# virsh start {VMname} ; virsh console {VMname} : ^] to disconnect from console.
Start and stop virtual machines.
# virsh start <vm name>
# virsh shutdown <vm name> : Graceful shutdown
# virsh destroy <vm name> : Power off virtual machine.
# virsh autostart <vm name> : Start vm at boot.
------------------------------------------------------
Virtual Machines using KVM
To install with prompt
#virt-install --prompt
List virtual machine
#virsh list
Stop virtual machine
#virsh destroy <vm name>
Configure VM autostart
#virsh autostart <vm name>
Unconfigure VM autostart
#virsh autostart --disable <vm name>
To install
#virt-install --name=ramsing.expanor.local -r 768 --disk path=/var/lib/libvirt/images/ramsing.expanor.local.img,size=8 -l http://192.168.10.110/pub/inst -x "ks=http://192.168.10.110/pub/ks/rhel03.cfg"
============================================
KVM - Command Line Administration
1. Install a virtual machine using virt-install command.
# virt-install \
--name TESTSERV1 \
--ram 500 \
--vcpus=2 \
--network network=default \
--os-variant RHEL6
2. Clone a virtual guest use virt-clone command
# virt-clone --original TESTEERV1 --name TESTSERV2 --file /var/lib/libvirt/images/TESTSERV2.img --mac 00:50:56:98:70:0B
Note: You may get networ error or interface is not available , google to fix it.
3. List the currently installed KVM guests virsh list --all command (or Type # virsh and type list -all)
# virsh list --all
Id Name State
----------------------------------------------------
18 TESTSERV2 running
19 TESTSERV1 running
- TESTSERV2 shut off
Note: virt-inspector will show the OS version, kernel version, mount point and installed drivers.
# virt-inspector DOMAIN
4. Check the CPU/Memory Utilization
# virt-top
virt-top 14:49:49 - x86_64 2/2CPU 3400MHz 1751MB
3 domains, 2 active, 2 running, 0 sleeping, 0 paused, 1 inactive D:0 O:0 X:0
CPU: 1.5% Mem: 1536 MB (1536 MB by guests)
ID S RDRQ WRRQ RXBY TXBY %CPU %MEM TIME NAME
19 R 0 0 12K 0 1.1 29.0 7:14.45 TESTSERV1
18 R 0 0 184 0 0.3 58.0 2:39.18 TESTSERV3
- (TESTSERV2)
5. Check the directory contents of a guest machine
# virt-ls -l -a /Virtual/TESTSERV1.img /root
total 80
dr-xr-x---. 3 root root 4096 Jun 28 05:21 .
dr-xr-xr-x. 25 root root 4096 Jun 28 07:19 ..
-rw------- 1 root root 420 Jun 28 09:17 .bash_history
-rw-r--r--. 1 root root 18 May 20 2009 .bash_logout
-rw-r--r--. 1 root root 176 May 20 2009 .bash_profile
-rw-r--r--. 1 root root 176 Sep 23 2004 .bashrc
-rw-r--r--. 1 root root 100 Sep 23 2004 .cshrc
drwx------ 2 root root 4096 Jun 24 05:22 .ssh
-rw-r--r--. 1 root root 129 Dec 4 2004 .tcshrc
-rw-------. 1 root root 1364 Jun 24 04:40 anaconda-ks.cfg
-rw-r--r--. 1 root root 26876 Jun 24 04:39 install.log
-rw-r--r--. 1 root root 7572 Jun 24 04:38 install.log.syslog
6. List the content of a file of a Guest machine.
# virt-cat -d TESTSERV1 /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=TESTSER1
7. Check mount point and FS utilization.
# virt-df -h -d TESTSERV1
Filesystem Size Used Available Use%
TESTSERV1:/dev/sda1 193M 28M 155M 15%
TESTSERV1:/dev/OSVG/lvroot 7.7G 1.7G 5.6G 23%
8. List the partition, FS, LVM info of a guest OS. (#virt-filesystems -d DOMAIN)
# virt-filesystems -d TEST-LINUX1 --long --all
Name Type VFS Label MBR Size Parent
/dev/sda1 filesystem ext4 - - 524288000 -
/dev/VolGroup/lv_root filesystem ext4 - - 10242490368 -
/dev/VolGroup/lv_swap filesystem swap - - 2113929216 -
/dev/VolGroup/lv_root lv - - - 10242490368 /dev/VolGroup
/dev/VolGroup/lv_swap lv - - - 2113929216 /dev/VolGroup
/dev/VolGroup vg - - - 12356419584 -
/dev/sda2 pv - - - 12356419584 -
/dev/sda1 partition - - 83 524288000 /dev/sda
/dev/sda2 partition - - 8e 12359565312 /dev/sda
/dev/sda device - - - 12884901888 -
9. Copy the guest file/directory content. (# virt-copy-out -d DOMAIN /file|dir localdir)
# virt-copy-out -d TESTSERV1 /root/testfile.txt /root
10 Copy file/directory from host server to guest OS (# virt-copy-in -d domain file|dir /destination)
# virt-copy-in -d TESTSERV1 /root/testerfile1.txt /root/
Note: Using "virt-copy-in" on live virtual machines can be dangerous, potentially causing disk corruption. The virtual machine must be shutdown before you use this command.
11. To edit file of KVM guest OS. (# virt-edit -d DOMAIN filename)
# virt-edit -b .orig -d TEST-LINUX1 /root/testfile.txt
Use -b option to make a backup of original file.
Note: Using "virt-edit" on live virtual machines can be dangerous, potentially causing disk corruption. The virtual machine must be shutdown before you use this command.
There are lots of other command line tools to administer KVM virtual machines on RHEL6.
=================================================
ACCESS A VIRTUAL MACHINE'S CONSOLE
virt-manager
OR virt-viewer
OR:
1. virsh vncdisplay domain
2. vncviewer localhost:display
START AND STOP VIRTUAL MACHINES
virt-manager
OR:
1. virsh start domain
2. virsh shutdown domain
======================================
List and identify SELinux file and process context.
View SELinux contexts of processes:
# ps -eZ, ps -axZ, ps -Zc <process name>, etc.
View SELinux contexts of files and directories:
# ls -Zd /path/to/dir/, ls -Z /path/to/file, etc.
View SELinux contexts of users:
id -Z
Policy context rules are stored in
/etc/selinux/targeted/context/files/file_contexts and
/etc/selinux/targeted/context/files/file_contexts.local
# semanage fcontext -[a|d|m] -f <ftype> -t <context> ‘<regex>’
e.g.: semanage fcontext -a -t virt_image_t “/virtstorage(/.*)?”
Restore default file contexts.
# restorecon -R -v /dir/ : note the last slash. -R = recursive (all child files and directories) -v = verbose.
Use boolean settings to modify system SELinux settings.
- Booleans are plain text files located in /selinux/booleans
- semanage boolean -l : List booleans with basic descriptions (very useful with grep)
- setsebool [-P] <boolean_name> : set SE boolean, -P to make permanent (survive reboot)
- Use the graphical tool: system-config-selinux
- Diagnose and address routine SELinux policy violations.
Many targeted services have specialised man pages dealing with SELinux configuration.
Display these pages with:
# man -k ‘_selinux’
Installing setroubleshoot-server sends SELinux error messages to /var/log/messages. These can be further parsed with sealert.
audit2why and audit2allow can be used to parse the messages in /var/log/audit/audit.log and explain why access was denied, and how to modify your configuration to allow it.
# semanage port -l : list SELinux port settings.
SELinux Packages and utilities
coreutils : Always installed. Provides some default elements of SELinux.
policycoreutils : Provides restorecon, secon, setfiles, et al.
libselinux-utils : Provides getenforce, setenforce, getsebool, setsebool, et al.
policycoreutils-gui : Provides system-config-selinux and sepolgen, et al.
policycoreutils-python : Provides semanage, audit2allow, audit2why, et al.
setroubleshoot : Provides seapplet
setroubleshoot-server : Provides sealert, sedispatch, setroubleshootd, et al.
==========================
SET ENFORCING AND PERMISSIVE MODES FOR SELINUX
Persistent change:
/etc/selinux/config:
SELINUX=enforcing|permissiveCurrent session:
Non persistent change:
setenforce 1|0|enforcing|permissive
VIEW SELINUX STATUS:
Sestatus
LIST AND IDENTIFY SELINUX FILE AND PROCESS CONTEXT
ls -lZ
ps -efZ
RESTORE DEFAULT FILE CONTEXTS
restorecon -R*file
USE BOOLEAN SETTINGS TO MODIFY SYSTEM SELINUX SETTINGS
View booleans:
getsebool -a | grep keyword
OR*semanage boolean -l | grep keyword
Change booleans:
setsebool -P boolean on|off
DIAGNOSE AND ADDRESS ROUTINE SELINUX POLICY VIOLATIONS
Diagnose:
/var/log/audit/audit.log
/var/log/messages
view service logs
sealert
Fix:
audit2allow
setsebool -P boolean on|off
========================
No comments:
Post a Comment