Bug 450723
| Summary: | xenner doesn't work in enforcing mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bill Nottingham <notting> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 9 | CC: | apevec, fschwarz, jlaska, kraxel, ml, rvokal | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-07-08 21:42:58 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This module allows it to work:
...
module xenner 1.0;
require {
type xenconsoled_t;
type var_run_t;
type fs_t;
type virt_var_run_t;
type kvm_device_t;
type var_log_t;
type initrc_t;
type xend_var_run_t;
type virtd_t;
type xenstored_t;
type tmp_t;
type port_t;
type anon_inodefs_t;
type tmpfs_t;
type mount_t;
class process setrlimit;
class unix_stream_socket connectto;
class chr_file { read write ioctl };
class capability sys_resource;
class tcp_socket { name_connect setopt create connect };
class file { read create ioctl write getattr unlink append };
class filesystem getattr;
class sock_file write;
class dir { write search read remove_name mounton getattr add_name };
}
#============= mount_t ==============
allow mount_t var_run_t:dir mounton;
#============= virtd_t ==============
allow virtd_t anon_inodefs_t:file { read write ioctl };
allow virtd_t fs_t:filesystem getattr;
allow virtd_t initrc_t:unix_stream_socket connectto;
allow virtd_t kvm_device_t:chr_file { read write ioctl };
allow virtd_t port_t:tcp_socket name_connect;
allow virtd_t self:capability sys_resource;
allow virtd_t self:process setrlimit;
allow virtd_t tmp_t:dir { write remove_name add_name };
allow virtd_t tmp_t:file { read write create unlink };
allow virtd_t tmpfs_t:dir { write remove_name add_name };
allow virtd_t tmpfs_t:file { create unlink };
allow virtd_t var_run_t:sock_file write;
allow virtd_t xend_var_run_t:dir { write remove_name add_name };
allow virtd_t xend_var_run_t:file { read write create unlink };
#============= xenconsoled_t ==============
allow xenconsoled_t initrc_t:unix_stream_socket connectto;
allow xenconsoled_t self:tcp_socket { create setopt connect };
allow xenconsoled_t tmpfs_t:dir { read search getattr };
allow xenconsoled_t tmpfs_t:file { read write getattr };
allow xenconsoled_t var_run_t:sock_file write;
allow xenconsoled_t virt_var_run_t:file { read write getattr };
#============= xenstored_t ==============
allow xenstored_t initrc_t:unix_stream_socket connectto;
allow xenstored_t self:tcp_socket { create setopt connect };
allow xenstored_t tmp_t:dir { write remove_name search add_name };
allow xenstored_t tmp_t:file { read write create unlink };
allow xenstored_t tmpfs_t:dir search;
allow xenstored_t tmpfs_t:file { read write };
allow xenstored_t var_log_t:dir { write add_name };
allow xenstored_t var_log_t:file { create append };
allow xenstored_t var_run_t:file { read write };
allow xenstored_t var_run_t:sock_file write;
allow xenstored_t virt_var_run_t:file { read write };
....
I have not audited it for correctness.
God I hat xen. Bill can you attach the audit.log you used to generate this policy. Created attachment 310036 [details]
audit log
Here's the audit log with some known noise (tmpwatch, etc.) taken out. I
suspect there's some more noise still in it.
So it seems that xenner is similar to what I am currently labeling as a qemu, Ie a vertual instance of a running Operating System. If you labeled xenner as qemu_exec_t you would get most of the privs. I need to create a virtd_instance under virtd to describe the access and then let xenner and qemu inherit from it. Sounds reasonable. xenner runs xen guests using kvm, so from a selinux point of view it probably looks much the same (I'm not a selinux expert though ...). xenner also uses some xen binaries such as xenstored, which should have selinux coverage too. xenner uses a tmpfs mount (/var/run/xenner), it puts files there as backing store for the vm memory. This is something which neither qemu nor xen do, thus I'd expect some new rules are needed to cover that. Hope this helps, Gerd Do you have a xen image around I could play with to write policy for this domain. For a quick bootup test you don't need an image, you can grab xen kernel and initrd from any fedora install dvd (images/xen/), then run "xenner -kernel vmlinuz -initrd initrd.img -vnc 127.0.0.1:0". Connecting with a vnc viewer to display :0 should show then the first stage install screen (probably complaining it couldn't find a disk). Note: avoid xen-runtime-3.2.0-12.fc9, vnc is broken with that one. Either -10 or something newer should work ok. I don't have any small xen images at the moment. I could try and find a place to put a 1GB .bz2 file, but that may be a bit excessive. *** Bug 464158 has been marked as a duplicate of this bug. *** *** Bug 478301 has been marked as a duplicate of this bug. *** This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Should be fixed in current F9, F10, F11 policy. So I am closing it. |
Description of problem: type=AVC msg=audit(1213117922.549:1172): avc: denied { mounton } for pid=32679 comm="mount" path="/var/run/xenner" dev=sda2 ino=5552229 scontext=unconfined_u:system_r:mount_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir type=AVC msg=audit(1213117922.573:1173): avc: denied { write } for pid=32686 comm="xenstored" name="log" dev=sda2 ino=5551491 scontext=unconfined_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1213117922.589:1174): avc: denied { write } for pid=32688 comm="xenstored" name="evtchnd" dev=sda2 ino=5551658 scontext=unconfined_u:system_r:xenstored_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1213117922.590:1175): avc: denied { create } for pid=32688 comm="xenstored" scontext=unconfined_u:system_r:xenstored_t:s0 tcontext=unconfined_u:system_r:xenstored_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): selinux-policy-3.3.1-62.fc9.noarch xenner-0.35-1.fc9.x86_64 How reproducible: Every time Steps to Reproduce: 1. install xenner 2. run /etc/init.d/xenner start