I have been looking for several periods in the last some three days now into the several issues remaining to get the libvirt and relatives running while protected with grsec RBAC policies.
Some of these issues show through the errors in my Air-Gapped and in my online clone when starting VMs.
There is also another issue which is not grsecurity RBAC policies related, and I described it in:
Whonix on Gentoo issues
https://forums.whonix.org/t/whonix-on-g ... es/3188/17But the other issues are RBAC policies related.
The successful run of Tails I described in the link already given, and it was with full deployment of RBAC policies, although with most of the libvirt and associated groups, users and subjects still set to only learning yet, as described so far in this topic.
---
And I think that at this point I should briefly, for completeness, also point the newbie readers to how I installed iptables, which were also fully deployed in that successful run of three days ago now:
https://web.archive.org/web/20140701061 ... -firewall/( the original page has been, sadly, down for a year or longer )
Also, in the page I already gave, there may be a few more tips:
Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html(search for "iptables")
---
But, as I'll show in the next post, I have had changes that led to an apparent dead end with setting up my policies. And I was thinking I'd post the logs, very verbose, but kept much shorter than what I will post in the:
Devuan's precursor's, as Tails, image in Qemu (11), part 2
https://www.croatiafidelis.hr/foss/cap/ ... 11.php#No1because I haven't got a clue why the, as you will see (in the next post), the
dnsmasq errors just wouldn't go away.
These logs are just what happens after:
- Code: Select all
# service libvirtd restart
# service libvirt-guests restart
and it might be that the understanding of it is necessary to set the right RBAC policies.
Important to note is also that a few seconds short of two minutes after the libvirtd and libvirt-guests restarting,
which restarting happened offline, I set up the usual procedure with uncenz-1st run and with physically plugging in the wire to the cable to connect to internet, and successfully ran Tails..
First the user (me, as root) issued
service libvirtd restart:
- Code: Select all
Mar 2 17:19:17 g0n kernel: [65444.399413] grsec: (admin:S:/) exec of /sbin/service (service libvirtd restart ) by /sbin/service[bash:17172] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4692] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.400846] grsec: (admin:S:/) exec of /etc/init.d/libvirtd (/etc/init.d/libvirtd restart ) by /etc/init.d/libvirtd[service:17172] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4692] uid/euid:0/0 gid/egid:0/0
Next the libvirt springs to action.
- Code: Select all
Mar 2 17:19:17 g0n kernel: [65444.677291] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-9 ) by /bin/kmod[kworker/u8:3:17240] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:3:17077] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n libvirtd: SQL engine 'mysql' not supported
Mar 2 17:19:17 g0n libvirtd: auxpropfunc error no mechanism available
Mar 2 17:19:17 g0n libvirtd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Mar 2 17:19:17 g0n kernel: [65444.691588] grsec: (admin:S:/) exec of /lib64/rc/bin/eend (eend 0 Failed to start libvirtd ) by /lib64/rc/bin/eend[openrc-run.sh:17243] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17202] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.701016] grsec: (admin:S:/) exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --version ) by /usr/sbin/dnsmasq[libvirtd:17242] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.735433] grsec: (admin:S:/) exec of /lib64/rc/bin/service_set_value (service_set_value command /usr/sbin/libvirtd ) by /lib64/rc/bin/service_set_value[openrc-run.sh:17244] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17202] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.736694] grsec: (admin:S:/) exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --help ) by /usr/sbin/dnsmasq[libvirtd:17245] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.743371] grsec: (admin:S:/) exec of /lib64/rc/bin/service_set_value (service_set_value pidfile /var/run/libvirtd.pid ) by /lib64/rc/bin/service_set_value[openrc-run.sh:17246] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17202] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.776615] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w -L -n ) by /sbin/xtables-multi[libvirtd:17251] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.783592] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/ip6tables -w -L -n ) by /sbin/xtables-multi[libvirtd:17252] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.796545] grsec: (admin:S:/) exec of /sbin/ebtables (/sbin/ebtables --concurrent -L ) by /sbin/ebtables[libvirtd:17253] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.837584] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSU) by /sbin/xtables-multi[libvirtd:17254] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.842581] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17255] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:17 g0n kernel: [65444.846103] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17256] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.851485] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17257] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.855608] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17258] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.860190] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE ) by /sbin/xtables-multi[libvirtd:17259] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.863698] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctst) by /sbin/xtables-multi[libvirtd:17260] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.866085] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.866091] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.866095] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.866098] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
The sequence of the 4 lines above repeat a lot below, while of all the fifth lines to those four, I leave all of them intact... (in the first round --and I'm trying to keep it as complete as possible--) :
- Code: Select all
Mar 2 17:19:18 g0n kernel: [65444.868044] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17261] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.872135] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17262] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.876132] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT ) by /sbin/xtables-multi[libvirtd:17263] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.880589] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT ) by /sbin/xtables-multi[libvirtd:17264] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.884585] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17265] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.890590] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17266] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.895599] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17267] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.900603] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17268] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.906592] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17269] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.913150] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17270] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.917588] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17271] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.922131] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17272] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.928159] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17273] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.939601] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17274] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.945224] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --in-interface virbr0 --jump REJECT ) by /sbin/xtables-multi[libvirtd:17275] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.950589] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --out-interface virbr0 --jump REJECT ) by /sbin/xtables-multi[libvirtd:17276] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.954583] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17277] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.959611] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17278] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.964594] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctst) by /sbin/xtables-multi[libvirtd:17279] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
So, again, all the lines in the section above, had four lines like the below (which are just like the first four such lines in the section further above).
- Code: Select all
Mar 2 17:19:18 g0n kernel: [65444.966974] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.966980] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.966983] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.966987] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
There, the 4 lines are identical but for the "[some.number]" after "Mar 2 17:19:18 g0n kernel:".
- Code: Select all
Mar 2 17:19:18 g0n kernel: [65444.970603] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE ) by /sbin/xtables-multi[libvirtd:17280] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.976599] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17281] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.980844] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17282] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.985115] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17283] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.989863] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17284] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.993678] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSU) by /sbin/xtables-multi[libvirtd:17285] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.997853] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr1 --out-interface virbr1 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17286] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65444.999923] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.999928] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.999931] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65444.999935] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
The 2nd batch of syslog lines.
The same 4 lines just above, again, and removing them from just a little further below. The fifth line to the above four.
- Code: Select all
Mar 2 17:19:18 g0n kernel: [65445.002128] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --out-interface virbr1 --jump REJECT ) by /sbin/xtables-multi[libvirtd:17287] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
The difference btwn the first batch of syslog lines that I struggle hard to abbreviate, and this second, is just, apparently:
"virbr0" in the first batch
"virbr1" in the second batch
In this meantime below, the
dnsmasq said its statements, else, the 4 proverbial lines are same.
- Code: Select all
Mar 2 17:19:18 g0n kernel: [65445.064606] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --in-interface virbr1 --out-interface virbr1 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17301] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n dnsmasq[4289]: read /etc/hosts - 16 addresses
Mar 2 17:19:18 g0n dnsmasq[4289]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Mar 2 17:19:18 g0n dnsmasq-dhcp[4289]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Mar 2 17:19:18 g0n kernel: [65445.066591] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65445.066596] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65445.066599] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65445.066602] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:18 g0n kernel: [65445.627181] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --version ) by /sbin/xtables-multi[libvirtd:17302] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:18 g0n kernel: [65445.664718] grsec: (admin:S:/) exec of /usr/sbin/dmidecode (/usr/sbin/dmidecode -q -t 0,1,2,4,17 ) by /usr/sbin/dmidecode[libvirtd:17303] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17241] uid/euid:0/0 gid/egid:0/0
Next the user (me, as root) issued
service libvirt-guests restart:
- Code: Select all
Mar 2 17:19:23 g0n kernel: [65450.352993] grsec: (admin:S:/) exec of /sbin/service (service libvirt-guests restart ) by /sbin/service[bash:17426] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4692] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.366030] grsec: (admin:S:/) exec of /etc/init.d/libvirt-guests (/etc/init.d/libvirt-guests restart ) by /etc/init.d/libvirt-guests[service:17426] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4692] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.367647] grsec: (admin:S:/) chdir to / by /etc/init.d/libvirt-guests[libvirt-guests:17426] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:4692] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.378699] grsec: (admin:S:/) exec of /lib64/rc/sh/openrc-run.sh (/lib64/rc/sh/openrc-run.sh /etc/init.d/libvirt-guests stop ) by /lib64/rc/sh/openrc-run.sh[libvirt-guests:17429] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/libvirt-guests[libvirt-guests:17426] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.385664] grsec: (admin:S:/) exec of /lib64/rc/bin/eval_ecolors (eval_ecolors ) by /lib64/rc/bin/eval_ecolors[openrc-run.sh:17432] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17431] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.410679] grsec: (admin:S:/) exec of /bin/mkdir (mkdir -p /sys/fs/cgroup/openrc/libvirt-guests ) by /bin/mkdir[openrc-run.sh:17434] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.411481] grsec: (admin:S:/) chdir to /sys by /bin/mkdir[mkdir:17434] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.411496] grsec: (admin:S:/) chdir to /sys/fs by /bin/mkdir[mkdir:17434] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.411509] grsec: (admin:S:/) chdir to /sys/fs/cgroup by /bin/mkdir[mkdir:17434] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.411523] grsec: (admin:S:/) chdir to /sys/fs/cgroup/openrc by /bin/mkdir[mkdir:17434] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.413673] grsec: (admin:S:/) exec of /bin/mkdir (mkdir -p /sys/fs/cgroup/openrc/libvirt-guests ) by /bin/mkdir[openrc-run.sh:17435] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.413712] grsec: (:::kernel::::S:/) exec of /lib64/rc/sh/cgroup-release-agent.sh (/lib64/rc/sh/cgroup-release-agent.sh /libvirt-guests ) by /lib64/rc/sh/cgroup-release-agent.sh[kworker/u8:4:17436] uid/euid:0/0 gid/egid:0/0, parent /[kthreadd:2] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:23 g0n kernel: [65450.414429] grsec: (admin:S:/) chdir to /sys by /bin/mkdir[mkdir:17435] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
( a lot is cut here )
- Code: Select all
Mar 2 17:19:43 g0n dhcpcd[3570]: virbr0: carrier lost
Mar 2 17:19:43 g0n kernel: [65470.199044] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17613] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.209073] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:17615] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17613] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.211014] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.dhcp ) by /bin/rm[dhcpcd-run-hook:17616] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17613] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.214135] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.dhcp ) by /bin/rm[dhcpcd-run-hook:17617] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17613] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n dhcpcd[3570]: virbr0: deleting default route
Mar 2 17:19:43 g0n dhcpcd[3570]: virbr0: deleting route to 169.254.0.0/16
Mar 2 17:19:43 g0n kernel: [65470.237130] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17619] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.245274] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /usr/bin/cmp[dhcpcd-run-hook:17621] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17619] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.247107] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:17622] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17619] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.248634] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.ipv4ll ) by /bin/rm[dhcpcd-run-hook:17623] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17619] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.258821] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17625] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.267369] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:17627] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17625] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.271035] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.dhcp ) by /bin/rm[dhcpcd-run-hook:17628] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17625] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:43 g0n kernel: [65470.274056] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0.dhcp ) by /bin/rm[dhcpcd-run-hook:17629] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17625] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.862051] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17635] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17632] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.862753] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system list --uuid --persistent ) by /usr/bin/virsh[openrc-run.sh:17634] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17632] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.877451] grsec: (admin:S:/) exec of /bin/wc (wc -l ) by /bin/wc[openrc-run.sh:17633] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17631] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.881049] grsec: (admin:S:/) exec of /lib64/rc/bin/einfo (einfo Shutting down domain(s) ... ) by /lib64/rc/bin/einfo[openrc-run.sh:17637] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.886051] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17640] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17638] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.887032] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system list --uuid --transient ) by /usr/bin/virsh[openrc-run.sh:17639] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17638] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.909979] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system list --uuid --transient ) by /usr/bin/virsh[openrc-run.sh:17645] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17643] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.910049] grsec: (admin:S:/) exec of /bin/wc (wc -l ) by /bin/wc[openrc-run.sh:17644] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17642] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.915042] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17646] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17643] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.930729] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17650] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17648] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.931065] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system list --uuid --transient ) by /usr/bin/virsh[openrc-run.sh:17649] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17648] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.948055] grsec: (admin:S:/) exec of /lib64/rc/bin/einfo (einfo Shutting down network(s): ) by /lib64/rc/bin/einfo[openrc-run.sh:17652] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.951180] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system net-list --uuid --persistent ) by /usr/bin/virsh[openrc-run.sh:17654] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17653] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.954418] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17655] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17653] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.970085] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system net-name 220a72af-13b1-4655-b909-bf08e943028a ) by /usr/bin/virsh[openrc-run.sh:17658] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17657] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.972131] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17659] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17657] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.988048] grsec: (admin:S:/) exec of /lib64/rc/bin/einfo (einfo default ) by /lib64/rc/bin/einfo[openrc-run.sh:17661] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.991334] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17663] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65470.993241] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system net-destroy 220a72af-13b1-4655-b909-bf08e943028a ) by /usr/bin/virsh[openrc-run.sh:17662] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17429] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dnsmasq[4289]: exiting on receipt of SIGTERM
Mar 2 17:19:44 g0n kernel: [65471.007552] grsec: (default:D:/) denied unlink of /run/libvirt/network/default.pid by /usr/sbin/dnsmasq[dnsmasq:4289] uid/euid:65534/65534 gid/egid:65534/65534, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0-nic: removing interface
Mar 2 17:19:44 g0n kernel: [65471.008552] device virbr0-nic left promiscuous mode
Mar 2 17:19:44 g0n kernel: [65471.008557] virbr0: port 1(virbr0-nic) entered disabled state
Mar 2 17:19:44 g0n kernel: [65471.010292] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh virbr0-nic stop ) by /lib64/udev/net.sh[udevd:17666] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:17577] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.012031] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- netdev-virbr0-nic ) by /bin/kmod[kworker/u8:3:17665] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:3:17077] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.015108] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- virbr0-nic grsec_modharden_netdev ) by /bin/kmod[kworker/u8:3:17667] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:3:17077] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.016836] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17668] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.026051] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0-nic.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:17670] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17668] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.027951] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0-nic.dhcp ) by /bin/rm[dhcpcd-run-hook:17671] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17668] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.030682] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSU) by /sbin/xtables-multi[libvirtd:17673] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.030896] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0-nic.dhcp ) by /bin/rm[dhcpcd-run-hook:17672] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17668] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.035040] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17674] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0: new hardware address: 00:00:00:00:00:00
Mar 2 17:19:44 g0n kernel: [65471.041047] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17676] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.046044] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.050617] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17678] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.056626] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --delete POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE ) by /sbin/xtables-multi[libvirtd:17679] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.061616] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctst) by /sbin/xtables-multi[libvirtd:17680] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.064123] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.064129] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.064132] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.064135] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.066049] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17681] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17227] uid/euid:0/0 gid/egid:0/0
...
Maybe here follows the main point. Why is it that dnsmasq works below, and in my later attempts, that I will post next, it consistently fails.
- Code: Select all
Mar 2 17:19:44 g0n kernel: [65471.491046] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctst) by /sbin/xtables-multi[libvirtd:17814] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.493588] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.493593] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.493596] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.493599] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0-nic: IAID 00:ea:ee:e9
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0: carrier acquired
Mar 2 17:19:44 g0n kernel: [65471.496050] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE ) by /sbin/xtables-multi[libvirtd:17815] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.497285] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17816] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.500348] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17817] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.504150] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQ) by /sbin/xtables-multi[libvirtd:17818] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0: IAID 00:ea:ee:e9
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0: IAID conflicts with one assigned to virbr0-nic
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0: adding address fe80::7e36:b0a1:9718:3d3a
Mar 2 17:19:44 g0n dhcpcd[3570]: if_addaddress6: Permission denied
Mar 2 17:19:44 g0n kernel: [65471.509054] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17819] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.512510] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table nat --insert POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN ) by /sbin/xtables-multi[libvirtd:17820] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.516373] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table mangle --insert POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSU) by /sbin/xtables-multi[libvirtd:17821] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.526947] grsec: (admin:S:/) exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --version ) by /usr/sbin/dnsmasq[libvirtd:17822] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0-nic: soliciting an IPv6 router
Mar 2 17:19:44 g0n kernel: [65471.532054] grsec: (admin:S:/) exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --help ) by /usr/sbin/dnsmasq[libvirtd:17823] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.537689] grsec: (admin:S:/) exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelp) by /usr/sbin/dnsmasq[libvirtd:17824] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.542047] grsec: (admin:S:/) exec of /bin/bash (sh -c /usr/libexec/libvirt_leaseshelper init ) by /bin/bash[dnsmasq:17825] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/dnsmasq[dnsmasq:17824] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.548921] grsec: (admin:S:/) exec of /usr/libexec/libvirt_leaseshelper (/usr/libexec/libvirt_leaseshelper init ) by /usr/libexec/libvirt_leaseshelper[sh:17825] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/dnsmasq[dnsmasq:17824] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.555262] grsec: (admin:S:/) chdir to / by /usr/sbin/dnsmasq[dnsmasq:17824] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dnsmasq[17827]: started, version 2.76 cachesize 150
Mar 2 17:19:44 g0n dnsmasq[17827]: compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua no-TFTP conntrack ipset no-auth no-DNSSEC loop-detect inotify
Mar 2 17:19:44 g0n dnsmasq-dhcp[17827]: DHCP, IP range 192.168.122.2 -- 192.168.122.254, lease time 1h
Mar 2 17:19:44 g0n dnsmasq-dhcp[17827]: DHCP, sockets bound exclusively to interface virbr0
Mar 2 17:19:44 g0n dnsmasq[17827]: no servers found in /etc/resolv.conf, will retry
Mar 2 17:19:44 g0n dnsmasq[17827]: read /etc/hosts - 16 addresses
Mar 2 17:19:44 g0n dnsmasq[17827]: read /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
Mar 2 17:19:44 g0n dnsmasq-dhcp[17827]: read /var/lib/libvirt/dnsmasq/default.hostsfile
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr0-nic: carrier lost
Mar 2 17:19:44 g0n kernel: [65471.560063] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17829] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.569254] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr0-nic.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:17831] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17829] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.571273] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0-nic.dhcp ) by /bin/rm[dhcpcd-run-hook:17832] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17829] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.574011] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr0-nic.dhcp ) by /bin/rm[dhcpcd-run-hook:17833] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17829] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.576702] virbr0: port 1(virbr0-nic) entered disabled state
Mar 2 17:19:44 g0n kernel: [65471.581115] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17837] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17835] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.581757] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system net-name 7e4f38ed-8848-485e-b610-808c9e3bf0d8 ) by /usr/bin/virsh[openrc-run.sh:17836] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17835] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.600075] grsec: (admin:S:/) exec of /lib64/rc/bin/einfo (einfo Whonix ) by /lib64/rc/bin/einfo[openrc-run.sh:17839] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17755] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.603061] grsec: (admin:S:/) exec of /usr/bin/virsh (virsh -c qemu:///system net-start 7e4f38ed-8848-485e-b610-808c9e3bf0d8 ) by /usr/bin/virsh[openrc-run.sh:17840] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17755] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.603289] grsec: (admin:S:/) exec of /bin/head (head -n -1 ) by /bin/head[openrc-run.sh:17841] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:17755] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.616851] virbr1: port 1(virbr1-nic) entered blocking state
Mar 2 17:19:44 g0n kernel: [65471.616855] virbr1: port 1(virbr1-nic) entered disabled state
Mar 2 17:19:44 g0n kernel: [65471.616949] device virbr1-nic entered promiscuous mode
Mar 2 17:19:44 g0n kernel: [65471.618045] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh virbr1 start ) by /lib64/udev/net.sh[udevd:17843] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:17786] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.619047] grsec: (root:U:/) exec of /lib64/udev/net.sh (/lib/udev/net.sh virbr1-nic start ) by /lib64/udev/net.sh[udevd:17845] uid/euid:0/0 gid/egid:0/0, parent /sbin/udevd[udevd:17577] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.619426] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-16-family-nl80211 ) by /bin/kmod[kworker/u8:3:17844] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:3:17077] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.622039] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17846] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.630919] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:17847] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:3570] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.639071] grsec: (root:U:/) exec of /usr/bin/cmp (cmp -s /etc/resolv.conf /run/dhcpcd/resolv.conf.virbr1.dhcp ) by /usr/bin/cmp[dhcpcd-run-hook:17850] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17847] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.641052] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr1.dhcp ) by /bin/rm[dhcpcd-run-hook:17851] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17847] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.642516] grsec: (root:U:/bin/rm) exec of /bin/rm (rm -f /run/dhcpcd/resolv.conf.virbr1.dhcp ) by /bin/rm[dhcpcd-run-hook:17852] uid/euid:0/0 gid/egid:0/0, parent /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd-run-hook:17847] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n dhcpcd[3570]: virbr1: waiting for carrier
Mar 2 17:19:44 g0n kernel: [65471.647074] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert INPUT --in-interface virbr1 --protocol tcp --destination-port 67 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17854] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.647733] virbr1: port 1(virbr1-nic) entered blocking state
Mar 2 17:19:44 g0n kernel: [65471.647737] virbr1: port 1(virbr1-nic) entered listening state
Mar 2 17:19:44 g0n kernel: [65471.648777] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-16-family-nl80211 ) by /bin/kmod[kworker/u8:4:17855] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:4:16806] uid/euid:0/0 gid/egid:0/0
Mar 2 17:19:44 g0n kernel: [65471.649624] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.649629] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.649633] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.649636] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
Mar 2 17:19:44 g0n kernel: [65471.651858] grsec: (admin:S:/) exec of /sbin/xtables-multi (/sbin/iptables -w --table filter --insert INPUT --in-interface virbr1 --protocol udp --destination-port 67 --jump ACCEPT ) by /sbin/xtables-multi[libvirtd:17856] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/libvirtd[libvirtd:17226] uid/euid:0/0 gid/egid:0/0
All the above was just following the user (me, as root) having issued "service libvirtd restart" and "service libvirt-guests restart".
If there are important parts with syslog lines of the libvirt actions missing from above, pls. look up:
Devuan's precursor's, as Tails, image in Qemu (11), part 2
https://www.croatiafidelis.hr/foss/cap/ ... 11.php#No1Here followed the successful run of Tails in a virtual machine by pure Qemu, about which can be read at:
https://www.croatiafidelis.hr/foss/cap/ ... 11.php#No2
.
disable RBAC ...