Bug 209187
| Summary: | blktap doesn't play nice with SELinux policy | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeremy Katz <katzj> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | bstein, dwalsh, james.antill, jmorris, katzj, sct |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.3.18-3 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-10-05 18:23:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 150224 | ||
There are other avcs which occur if we actually run a live guest, living on an
image file in /xen/, with blktap:
audit(1159912115.732:27): avc: denied { ioctl } for pid=3107
comm="blktapctrl" name="blktap0" dev=tmpfs ino=12119
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file
is the main one which gets in the way in enforcing mode, but in permissive mode,
I also get
audit(1159912197.022:44): avc: denied { mknod } for pid=3107
comm="blktapctrl" capability=27 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=capability
audit(1159912197.022:45): avc: denied { create } for pid=3107
comm="blktapctrl" name="tapctrlread1" scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=fifo_file
audit(1159912197.022:46): avc: denied { read write } for pid=3107
comm="blktapctrl" name="tapctrlread1" dev=tmpfs ino=18393
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=fifo_file
audit(1159912197.022:47): avc: denied { ioctl } for pid=4994 comm="sh"
name="tapctrlread1" dev=tmpfs ino=18393 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=fifo_file
Specific new binaries potentially needing policy are:
/usr/sbin/tapdisk: per-domain disk server for blktap domains
/usr/sbin/blktapctrl: persistent control daemon
and devices are:
/dev/xen/blktap0: control device
/dev/xen/blktap[1--255]: per-domain interface device
/dev/xen/tapctrl{read,write}[1--255]: named pipe nodes for tapdisk/blktapctrl
communication
tapdisk itself will need read/write access to Xen image files.
Fixed in selinux-policy-2.3.18-3 Confirmed that blktapctrl boots, and that tapdisk is able to access and serve files in /xen/. Thanks! |
blktap doesn't play nice with SELinux policy -- audit(1159875215.511:4): avc: denied { getattr } for pid=2878 comm="blktapctrl" name="blktap0" dev=tmpfs ino=9630 scontext=system_u:system_r:xend_t:s0 tcon text=system_u:object_r:device_t:s0 tclass=chr_file audit(1159875215.511:5): avc: denied { read write } for pid=2878 comm="blktapctrl" name="blktap0" dev=tmpfs ino=9630 scontext=system_u:system_r:xend_t:s0 t context=system_u:object_r:device_t:s0 tclass=chr_file For one thing, we probably need to have /dev/xen/blktap* labeled as xen_device_t and blktapctrl running in a xen domain, but that's just kind of a first guess at what's needed without actually setting anything up to use blktap yet. Someone using blktap needs to look closer at what else is needed. And something has to be done about the AVCs for FC6 GA -- either by fixing things to work with policy or going back to disable blktap entirely