CentOS8 kvm 仮想macインストール

cd ~/KVMimage/macos

wget https://github.com/foxlet/macOS-Simple-KVM/archive/refs/heads/master.zip
unzip master.zip

python3 -m venv myenv

. ./myenv/bin/activate

 pip3 install --upgrade pip

./jumpstart.sh

# dnf -y install qemu-kvm qemu-img libvirt virt-install libvirt-client

# qemu-img create -f qcow2 mac_os.qcow2 64G

# vi basic.sh

  1 #!/bin/bash

  2 

  3 OSK="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc"

  4 VMDIR=$PWD

  5 OVMF=$VMDIR/firmware

  6 #export QEMU_AUDIO_DRV=pa

  7 #QEMU_AUDIO_DRV=pa

  8 

  9 qemu-system-x86_64 \                           →/usr/libexec/qumu-kvm

 10   ¦ -enable-kvm \

 11   ¦ -m 2G \

 12   ¦ -machine q35,accel=kvm \

 13   ¦ -smp 4,cores=2 \

 14   ¦ -cpu Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+xsavec,+xgetbv1,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc \

 15   ¦ -device isa-applesmc,osk="$OSK" \

 16   ¦ -smbios type=2 \

 17   ¦ -drive if=pflash,format=raw,readonly,file="$OVMF/OVMF_CODE.fd" \

 18   ¦ -drive if=pflash,format=raw,file="$OVMF/OVMF_VARS-1024x768.fd" \

 19   ¦ -vga qxl \

 20   ¦ -device ich9-intel-hda -device hda-output \

 21   ¦ -usb -device usb-kbd -device usb-mouse \

 22   ¦ -netdev user,id=net0 \

 23   ¦ -device e1000-82545em,netdev=net0,id=net0,mac=52:54:00:c9:18:27 \

 24   ¦ -device ich9-ahci,id=sata \

 25   ¦ -drive id=ESP,if=none,format=qcow2,file=ESP.qcow2 \

 26   ¦ -device ide-hd,bus=sata.2,drive=ESP \

 27   ¦ -drive id=InstallMedia,format=raw,if=none,file=BaseSystem.img \

 28   ¦ -device ide-hd,bus=sata.3,drive=InstallMedia \

 29   ¦ -drive id=SystemDisk,if=none,file=mac_os.qcow2

 30   ¦ -device ide-hd,bus=sata.4,drive=SystemDisk

【参考】

https://github.com/foxlet/macOS-Simple-KVM

https://chirashi.twittospia.com/%E6%8A%80%E8%A1%93/ubuntulinux%E3%81%AE%E4%BB%AE%E6%83%B3%E3%83%9E%E3%82%B7%E3%83%B3%E3%81%ABmacos%E3%82%92%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC%E3%83%AB%E3%81%99%E3%82%8B%E6%96%B9%E6%B3%95/2021-04-20/

selinux インストール

# dnf install libselinux.x86_64 libselinux-devel.x86_64 libselinux-utils.x86_64 python3-libselinux.x86_64
# dnf install policycoreutils policycoreutils-gui libselinux-utils setools-console checkpolicy
# dnf install policycoreutils-python-utils selinux-policy-*

# dnf install setroubleshoot

# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /sys/fs/selinux

SELinux root directory:         /etc/selinux

Loaded policy name:             targeted

Current mode:                   permissive

Mode from config file:          disabled

Policy MLS status:              enabled

Policy deny_unknown status:     allowed

Memory protection checking:     actual (secure)

Max kernel policy version:      33

# vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these three values:

#     targeted - Targeted processes are protected,

#     minimum - Modification of targeted policy. Only selected processes are protected.

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted
# vi /var/log/audit/audit.log
# audit2allow -w -a

# seinfo

# sesearch --allow 

# sesearch --neverallow

# sesearch --auditallow

# sesearch --dontaudit

# getsebool -a

# semanage export

# grep denied /var/log/audit/audit.log | tail -10 | audit2allow

# tail -f /var/log/httpd/error_log

# semodule -DB                              #  dontauditルール無効

# semodule -B                                 # dontauditルール有効

# tail -f /var/log/audit/audit.log | grep denied

# find / -inum 17350933 # inodeからファイル名

#  chcon -t httpd_sys_script_exec_t /var/www/html/hello.sh      # ラベル付与

# semanage fcontext -l | grep httpd_sys_script_exec_t

・httpd_sys_content_t : 読み取りのみ
・httpd_sys_script_exec_t : 実行可能
・httpd_sys_rw_content_t : 読み書き可能

# semanage fcontext -l | grep /var/www/

# ps -efZ | grep httpd

# ls  -lZ

# ls  -ldZ

#  sealert -l "*"

# matchpathcon /var/www/html /var/test_www/html

# semanage fcontext -a -e /var/www /var/test_www

# restorecon -Rv /var/

【エラー発生】

#  semodule -X 300 -i my-zabbixserver.pp

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/300/my-04iscsi/cil:2

semodule:  Failed!

# bzip2 -d  /var/lib/selinux/targeted/tmp/modules/300/my-04iscsi/cil

# cat cil.out

(typeattributeset cil_gen_require systemd_systemctl_exec_t)

(typeattributeset cil_gen_require NetworkManager_dispatcher_t)

(typeattributeset cil_gen_require passwd_file_t)

(allow NetworkManager_dispatcher_t passwd_file_t (file (getattr open read)))

(allow NetworkManager_dispatcher_t systemd_systemctl_exec_t (file (execute_no_trans)))

(allow NetworkManager_dispatcher_t systemd_systemctl_exec_t (file (execute getattr open read)))

# seinfo -t|grep  NetworkManager_dispatcher_t

無い！！

【参考】

すごく読み易い。感謝です。

https://www.tohoho-web.com/ex/selinux.html

firewall-cmd

# dnf install firewalld
# systemctl start firewalld
# systemctl enable firewalld
# systemctl status firewalld
# firewall-cmd --add-service=http --zone=public --permanent
# firewall-cmd --add-port=10050/tcp --zone=public --permanent
# firewall-cmd --add-port=10051/tcp --zone=public --permanent
# firewall-cmd --reload

# firewall-cmd --list-all

# firewall-cmd --version

0.9.3

curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

相手のサーバがDH Key 1024しかさポーﾄしていない。
（openssl デフォルトは2048)

# update-crypto-policies --set LEGACY
# curl -I https://service.xxxxxx.co.jp/ArcwService/Default.aspx
あくまでも自己責任で！！


# update-crypto-policies --set DEFAULT
# update-crypto-policies --show

# cd /usr/share/crypto-policies/policies/modules

# ls -l

合計 20

-rw-r--r--. 1 root root  318 11月 16 22:46 AD-SUPPORT.pmod

-rw-r--r--. 1 root root  121 11月 16 22:46 ECDHE-ONLY.pmod

-rw-r--r--. 1 root root   90 11月 16 22:46 NO-CAMELLIA.pmod

-rw-r--r--. 1 root root  123 11月 16 22:46 NO-SHA1.pmod

-rw-r--r--. 1 root root 1986 11月 16 22:46 OSPP.pmod