Sziasztok!
Eddig Debian-t hasznaltam VM-nek ESXi ala, de most atallunk Hyper-V-re. A Hyper-V tool a CentOS/Redhat vonalat tamogatja elsosorban, ezert egy CentOS-t raktam fol a tesztkornyezetbe.
A problema az, hogy az alabbi hibat dobja folyton:
Ez egy ismert jogosultsag hiba, talaltam is ra howto-t meg egy scriptet ami meg is oldja:
Script: https://gist.github.com/gildas/4b1c5e19fa8057d90d745c1754cb46b2
Problema leirasa:
SELinux Policy Needed for Hyper-V Daemons
During the installation of Linux Integration Services 4.2.2-2 the Hyper-V daemons are installed in
different device files. The default SELinux policies accept these new device files and will operate
without needing intervention. On Red Hat Enterprise Linux, CentOS, and Oracle Linux with the
Red Hat Compatible Kernel versions 6.6, 6.7, 6.8, 7.1, and 7.2 SELinux Policy can prevent the
daemons for KVP and VSS from operating.
The following sample policy can be used to allow these daemons to operate if SELinux policies
have restricted the Hyper-V daemons:
module hyperv-daemons 1.0;
require {
type hypervkvp_t;
type device_t;
type hypervvssd_t;
class chr_file { read write open };
}
14
allow hypervkvp_t device_t:chr_file { read write open };
allow hypervvssd_t device_t:chr_file { read write open };
allow ifconfig_t device_t:chr_file { read write open };
Put this policy in hyperv-daemons.te and compile it with the following command (as root or with
sudo):
# make -f /usr/share/selinux/devel/Makefile hyperv-daemons.pp
To test the module and not have it loaded automatically on boot:
# semodule -i hyperv-daemons.pp
Then, to add the modules to the SELinux “Targeted” policy and automatically load it on future
boots:
# semodule -s targeted -i hyperv-daemons.pp
If the SELinux policy is installed at the same time as installation of Linux Integration Services
4.2.2-2, a message may be seen that the device files /dev/vmbus/hv_kvp or /dev/vmbus/hv_vss
do not exist. These device files will not be created until the system is rebooted after installation
of Linux Integration Services 4.2.2-2 and this message can be ignored.
A gond az, hogy hiaba csinalom meg (vagyis csinalja meg a script) az itt leirtakat, sajnos ugyanugy jon a hiba... (annyit modositottam a scripten, hogy a 4.2-es toolt hasznalom)
Valaki esetleg talalkozott mar ezzel a problemaval?
- 1544 megtekintés
Hozzászólások
Csak egy tipp:
esetleg ezt a sort módosítani:
allow ifconfig_t device_t:chr_file { read write open };
erre:
allow ip_t device_t:chr_file { read write open };
Ahogy látom, a hibaüzenetben az ip parancsot akarja meghívni de a policy-ban az ifconfig szerepel.
- A hozzászóláshoz be kell jelentkezni
Az audit2allow < /var/log/audit/audit.log mit mond?
- A hozzászóláshoz be kell jelentkezni