Bug 433672
| Summary: | qemu-kvm throws lots of AVCs running WinXP.... | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | sputhenp | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-02-26 21:39:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 295443 [details]
AVCs from "qemu-kvm" of WinXP gtuest
So I guess we need a boolean that says we are allowed to connect to anyport. This is interesting though. Since we can begin to confine WinXP with qemu/selinux. If I want to write the policy equivalent of xguest for XP, I would write a policy that runs qemu in a domain that is only allowed to connect to the http ports/dns/ftp ports. SELinux confining Windows... What kind of networking did you setup to get this? We'll have to call it SEWindows..... Wonder if they've already locked in a trademark for that .... ;) Network setup..... I believe I'm using whatever is the default. The XP guest thinks it is connected to 10.0.2.15 The host is running on 10.10.4.24 I don't think I've ever specified any "-net" options..... Thinks the device is a RealTek rtl8139. I presume it is NAT-ing, but not sure. allow_qemu_full_network boolean available in selinux-policy-3.3.1-3.fc9 |
Description of problem: Running selinux-policy-targeted-3.2.8-2.fc9.noarch targeted/permissive, I get the following running a WinXP image (AVCs attached): #============= qemu_t ============== allow qemu_t http_port_t:tcp_socket name_connect; allow qemu_t inaddr_any_node_t:udp_socket node_bind; allow qemu_t kerberos_port_t:tcp_socket name_connect; allow qemu_t ldap_port_t:tcp_socket name_connect; allow qemu_t port_t:tcp_socket name_connect; allow qemu_t reserved_port_t:tcp_socket name_connect; allow qemu_t self:udp_socket { write bind create read getattr }; allow qemu_t smbd_port_t:tcp_socket name_connect; I suspect there will be more, as I "exercise" the WinXP guest. What I did: ran "qemu-kvm -m 400 image", logged in to windows domain, started outlook, started browser (IE, sigh). Version-Release number of selected component (if applicable): selinux-policy-targeted-3.2.8-2.fc9.noarch How reproducible: Everytime Steps to Reproduce: 1. Start guest: qemu-kvm -m 400 image 2. login to domain 3. start Outlook, start browser Actual results: Expected results: Additional info: