Bug 1331309
Summary: | [Hyper-V][RHEL7.3]hypervvssd and selinux denials | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jarno Huuskonen <jarno.huuskonen> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.2 | CC: | boyang, ccheney, dapospis, hhei, jingli, jopoulso, ldu, leiwang, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, vkuznets, xiaofwan, xuli, yacao | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-133.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1335733 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1335733, 1401400 |
Description
Jarno Huuskonen
2016-04-28 09:17:14 UTC
What is fix here? hypervvssd_t should read all dirs on system? Could please Vitaly help to comment on what the fix is? Thank you. hypervvssd is very simple, it does the following: For all mountpoints in /proc/mounts (including '/'): on freeze request from the host: 1) fd = open(dir, O_RDONLY); 2) ioctl(fd, FIFREEZE, 0); 3) close(fd); on thaw request from the host: 1) fd = open(dir, O_RDONLY); 2) ioctl(fd, FITHAW, 0); 3) close(fd); this should always succeed. So, answering the question, hypervvssd_t should be able to open any dir on the system and (I'm not sure what it means for SELinux) do appropriate ioctls. The daemon only talks to kernel so giving it such permissions is relatively safe. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |