| Summary: | svirt_qemu_net_t is missing most svirt_t related rules | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Berrangé <berrange> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-105.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-14 02:53:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
c1b7b1736cfaf123a43e161379ebc9c6643b42ec fixes this in git. Need this patch in RHEL7 also. (In reply to Daniel Walsh from comment #1) > c1b7b1736cfaf123a43e161379ebc9c6643b42ec fixes this in git. Which GIT repo is this hash from ? Daniel: https://git.fedorahosted.org/cgit/selinux-policy.git/ Fix is included in f20 and rawhide. Yes, it has been back ported and it is a part of the latest builds. selinux-policy-3.12.1-105.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-105.fc20 Package selinux-policy-3.12.1-105.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-105.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22285/selinux-policy-3.12.1-105.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-105.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The virt-sandbox tool has historically used svirt_t for QEMU/KVM guests and svirt_lxc_sandbox_t for LXC guests The use of svirt_t was not working since it did not allow general use of resources from the host OS. Reently the SELinux policy gained new svirt_qemu_net_t and svirt_kvm_net_t domains to address this These should types should basically have had a union of all the rules for svirt_t and (most) of the rules for svirt_lxc_sandbox_t. It appears, howerver, that svirt_qemu_net_t and svirt_kvm_net_t are missing a number of the svirt_t related rules. For example, I get the following denials type=AVC msg=audit(1384448197.667:626): avc: denied { append } for pid=8553 comm="qemu-system-x86" path="/home/berrange/.cache/libvirt/qemu/log/sandbox.log" dev="dm-0" ino=659232 scontext=unconfined_u:system_r:svirt_qemu_net_t:s0:c77,c609 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=file type=AVC msg=audit(1384448197.667:626): avc: denied { append } for pid=8553 comm="qemu-system-x86" path="/home/berrange/.cache/libvirt/qemu/log/sandbox.log" dev="dm-0" ino=659232 scontext=unconfined_u:system_r:svirt_qemu_net_t:s0:c77,c609 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=file type=AVC msg=audit(1384448197.697:627): avc: denied { write } for pid=8553 comm="qemu-system-x86" name="lib" dev="dm-0" ino=659215 scontext=unconfined_u:system_r:svirt_qemu_net_t:s0:c77,c609 tcontext=unconfined_u:object_r:svirt_home_t:s0 tclass=dir Which audit2allow suggests #============= svirt_qemu_net_t ============== allow svirt_qemu_net_t svirt_home_t:dir write; allow svirt_qemu_net_t svirt_home_t:file append; Version-Release number of selected component (if applicable): selinux-policy-3.12.1-90.fc20.noarch How reproducible: Always Steps to Reproduce: 1. Apply Dan W's patches to libvirt-sandbox for svirt_qemu_net_t usage 2. Run virt-sandbox -c qemu:///session /bin/date 3. Actual results: Above AVCs are produced Expected results: No AVCs Additional info: