Bug 509834

Summary: sVirt changing file context impacts other access
Product: [Fedora] Fedora Reporter: Gene Czarcinski <gczarcinski>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: markmc
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-13 18:30:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gene Czarcinski 2009-07-06 13:43:54 UTC 
Description of problem:

The current implementation of sVirt impacts other process access.  For example, if a virtual guest defines an ISO image file which is also access by httpd, the file's context is changed from "public_content_t" to "virt_content_t" which makes that file no longer accessable by http.  This is wrong!

I suggest that there should be NO changing of file context!

Instead, sVirt should depend on the settings in the standard policy and any policy changes made with semanage.

Furthermore, any file with a context of "public_content_t" or "public_content_rw_t" should be accessible by a guest if it has been defined to that guest.

I am not sure what should be done with real devices such as /dev/sr0.

I also suggest that context 'nfs_t" should also be OK.

If file contexts are not changed, this also eliminates the problem of using read-only file systems.

This report replaces https://bugzilla.redhat.com/show_bug.cgi?id=508865 which I not consider to be a dup of this report.
Comment 1 Gene Czarcinski 2009-07-06 13:45:29 UTC 
*** Bug 508865 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2009-07-06 18:32:38 UTC 
svirt is designed to change the context of the image files and other devices that it will use.  If you want to allow httpd to share virtual image content then you need to write policy to allow it to read virtual images, or turn svirt off (not recommended.)  I could add a boolean to allow this share virtual content via httpd if you believe this will be real common.
Comment 3 Mark McLoughlin 2009-08-07 11:01:23 UTC 
(In reply to comment #2)
> I could add a boolean to allow this share virtual
> content via httpd if you believe this will be real common.  

So this would allow httpd access virt_content_t ?

Gene: would that work for you?

(Otherwise, from what dwalsh is saying, I think we should close this as WONTFIX)
Comment 4 Gene Czarcinski 2009-08-11 18:57:51 UTC 
I am satisfied with the way things work with the rawhide packages which have been made available for Fedora 11 (the preview set).

Reseting the context after use works for me.

It is not a matter of WONTFIX but more (IMHO) of BEENFIXED
Comment 5 Daniel Walsh 2009-08-12 19:33:16 UTC 
Gene what change are you referring too?
Comment 6 Gene Czarcinski 2009-08-13 17:49:08 UTC 
I was primarily concerned about ISO image files.

When I first started using qemu-kvm-libvirt, the context for the ISO file was changed and then left changed when the guest terminated or the ISO image file was disconnected.

I then started using the virt-preview set of packages when they appeared and, at that time, the context was reset to its "normal" value when the guest was done with that image.

I understand the need to change the context and, since I am only using these image files during install, I can live with the context change for that "brief" period of time.