Bug 433672
Summary: | qemu-kvm throws lots of AVCs running WinXP.... | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | CC: | sputhenp | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-02-26 21:39:54 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Tom London
2008-02-20 19:37:13 UTC
Created attachment 295443 [details]
AVCs from "qemu-kvm" of WinXP gtuest
So I guess we need a boolean that says we are allowed to connect to anyport. This is interesting though. Since we can begin to confine WinXP with qemu/selinux. If I want to write the policy equivalent of xguest for XP, I would write a policy that runs qemu in a domain that is only allowed to connect to the http ports/dns/ftp ports. SELinux confining Windows... What kind of networking did you setup to get this? We'll have to call it SEWindows..... Wonder if they've already locked in a trademark for that .... ;) Network setup..... I believe I'm using whatever is the default. The XP guest thinks it is connected to 10.0.2.15 The host is running on 10.10.4.24 I don't think I've ever specified any "-net" options..... Thinks the device is a RealTek rtl8139. I presume it is NAT-ing, but not sure. allow_qemu_full_network boolean available in selinux-policy-3.3.1-3.fc9 |