Virtualization Firewall Information - Red Hat ENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE:
- Deployment manual (848 pages) ,
- Manual (126 pages) ,
- Configuration (86 pages)
Table of Contents
Advertisement
# semanage fcontext --a --t xen_image _t --f --b -/dev/sda2
# restorecon -/dev/sda2
The Boolean parameter xend_disable_t can set the xend to unconfined mode after restarting the
daemon. It is better to disable protection for a single daemon than the whole system. It is advisable
that you should not re-label directories as xen_image_t that you will use elsewhere.
KVM and SELinux
There are several SELinux booleans which affect KVM. These booleans are listed below for your
convenience.
KVM SELinux Booleans
SELinux Boolean
allow_unconfined_qemu_transitionDefault: off. This boolean controls whether KVM guests can be
qemu_full_network
qemu_use_cifs
qemu_use_comm
qemu_use_nfs
qemu_use_usb
17.4. Virtualization firewall information
Various ports are used for communication between virtualized guests and management utilites.
Guest network services
Any network service on a virtualized guest must have the applicable ports open on the
guest to allow external access. If a network service on a guest is firewalled it will be
inaccessible. Always verify the guests network configuration first.
• ICMP requests must be accepted. ICMP packets are used for network testing. You cannot ping
guests if ICMP packets are blocked.
• Port 22 should be open for SSH access and the initial installation.
• Ports 80 or 443 (depending on the security settings on the RHEV Manager) are used by the vdsm-
reg service to communicate information about the host.
• Ports 5634 to 6166 are used for guest console access with the SPICE protocol.
• Port 8002 is used by Xen for live migration.
• Ports 49152 to 49216 are used for migrations with KVM. Migration may use any port in this range
depending on the number of concurrent migrations occurring.
Description
transistioned to unconfined users.
Default: on. This boolean controls full network access to KVM
guests.
Default: on. This boolean controls KVM's access to CIFS or
Samba file systems.
Default: off. This boolean controls whether KVM can access serial
or paralell communications ports.
Default: on. This boolean controls KVM's access to NFS file
systems.
Default: on. This boolean allows KVM to access USB devices.
Virtualization firewall information
219
Advertisement
Table of Contents
Troubleshooting
