Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE

221

222

223

224

225

226

227

228

229

230

The Boolean parameter xend_disable_t can set the xend to unconfined mode after restarting the

daemon. It is better to disable protection for a single daemon than the whole system. It is advisable

that you should not re-label directories as xen_image_t that you will use elsewhere.

KVM an d SELin u x

There are several SELinux booleans which affect KVM. These booleans are listed below for your

convenience.

KVM SELin u x Bo o lean s

SELin u x Bo o lean Descrip t io n

allow_unconfined_qemu_transition Default: off. This boolean controls whether KVM

guests can be transitioned to unconfined users.

qemu_full_network Default: on. This boolean controls full network

access to KVM guests.

qemu_use_cifs Default: on. This boolean controls KVM's access

to CIFS or Samba file systems.

qemu_use_comm Default: off. This boolean controls whether KVM

can access serial or parallel communications

ports.

qemu_use_nfs Default: on. This boolean controls KVM's access

to NFS file systems.

qemu_use_usb Default: on. This boolean allows KVM to access

USB devices.

19.4. Virt ualizat ion firewall informat ion

Various ports are used for communication between guests and management utilities.

Note

Any network service on a guest must have the applicable ports open on the guest to allow

external access. If a network service on a guest is firewalled it will be inaccessible. Always

verify the guests network configuration first.

ICMP requests must be accepted. ICMP packets are used for network testing. You cannot ping

guests if ICMP packets are blocked.

Port 22 should be open for SSH access and the initial installation.

Ports 80 or 443 (depending on the security settings on the RHEV Manager) are used by the vdsm-

reg service to communicate information about the host.

Ports 5634 to 6166 are used for guest console access with the SPICE protocol.

Port 8002 is used by Xen for live migration.

Ports 49152 to 49216 are used for migrations with KVM. Migration may use any port in this range

depending on the number of concurrent migrations occurring.

⁠Chapt er 1 9 . Securit y for virt ualizat ion

217