From 7e25e0780eac92701904aa86689e8759da98fb86 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Mon, 4 Feb 2013 21:47:52 +0000 Subject: [PATCH] FAQ: Update section on sVirt. --- examples/guestfs-faq.pod | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/examples/guestfs-faq.pod b/examples/guestfs-faq.pod index 6dc9673ec..035493a52 100644 --- a/examples/guestfs-faq.pod +++ b/examples/guestfs-faq.pod @@ -382,8 +382,9 @@ If you are using mock, do: =head2 How can I add support for sVirt? -Note: We are planning to make this configuration the default in -S. If you find any problems, please let us know or file a bug. +Note for Fedora/RHEL users: This configuration is the default starting +with S and S. If you find any problems, please let +us know or file a bug. L provides a hardened appliance using SELinux, making it very hard for a rogue disk image to @@ -393,23 +394,27 @@ sVirt provides an extra layer of protection for the host and more importantly protects virtual machines on the same host from each other). -Currently to enable sVirt you will need the very latest libvirt (from -git), libguestfs and SELinux policies. If you are not running -S, you will need to make changes to your SELinux policy - -contact us on the mailing list. +Currently to enable sVirt you will need libvirt E 0.10.2 (1.0 or +later preferred), libguestfs E 1.20, and the SELinux policies from +recent Fedora. If you are not running S, you will need to +make changes to your SELinux policy - contact us on the mailing list. Once you have the requirements, do: ./configure --with-default-attach-method=libvirt make -Enable SELinux, and sVirt should be used automatically. +Set SELinux to Enforcing mode, and sVirt should be used automatically. All, or almost all, features of libguestfs should work under sVirt. There is one known shortcoming: L will not use libvirt (hence sVirt), but falls back to direct launch of qemu. So you won't currently get the benefit of sVirt protection when using virt-rescue. +You can check if sVirt is being used by enabling libvirtd logging (see +C), killing and restarting libvirtd, and +checking the log files for S<"Setting SELinux context on ..."> messages. + In theory sVirt should support AppArmor, but we have not tried it. It will almost certainly require patching libvirt and writing an AppArmor policy.