Bug 209187 - blktap doesn't play nice with SELinux policy
Summary: blktap doesn't play nice with SELinux policy
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: FC6Blocker
TreeView+ depends on / blocked
 
Reported: 2006-10-03 19:36 UTC by Jeremy Katz
Modified: 2007-11-30 22:11 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-2.3.18-3
Clone Of:
Environment:
Last Closed: 2006-10-05 18:23:42 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jeremy Katz 2006-10-03 19:36:38 UTC 
blktap doesn't play nice with SELinux policy --

audit(1159875215.511:4): avc:  denied  { getattr } for  pid=2878
comm="blktapctrl" name="blktap0" dev=tmpfs ino=9630
scontext=system_u:system_r:xend_t:s0 tcon
text=system_u:object_r:device_t:s0 tclass=chr_file
audit(1159875215.511:5): avc:  denied  { read write } for  pid=2878
comm="blktapctrl" name="blktap0" dev=tmpfs ino=9630
scontext=system_u:system_r:xend_t:s0 t
context=system_u:object_r:device_t:s0 tclass=chr_file


For one thing, we probably need to have /dev/xen/blktap* labeled as xen_device_t
and blktapctrl running in a xen domain, but that's just kind of a first guess at
what's needed without actually setting anything up to use blktap yet.  Someone
using blktap needs to look closer at what else is needed.

And something has to be done about the AVCs for FC6 GA -- either by fixing
things to work with policy or going back to disable blktap entirely
Comment 2 Stephen Tweedie 2006-10-03 21:51:10 UTC 
There are other avcs which occur if we actually run a live guest, living on an
image file in /xen/, with blktap:

audit(1159912115.732:27): avc:  denied  { ioctl } for  pid=3107
comm="blktapctrl" name="blktap0" dev=tmpfs ino=12119
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file

is the main one which gets in the way in enforcing mode, but in permissive mode,
I also get

audit(1159912197.022:44): avc:  denied  { mknod } for  pid=3107
comm="blktapctrl" capability=27 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=capability
audit(1159912197.022:45): avc:  denied  { create } for  pid=3107
comm="blktapctrl" name="tapctrlread1" scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=fifo_file
audit(1159912197.022:46): avc:  denied  { read write } for  pid=3107
comm="blktapctrl" name="tapctrlread1" dev=tmpfs ino=18393
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=fifo_file
audit(1159912197.022:47): avc:  denied  { ioctl } for  pid=4994 comm="sh"
name="tapctrlread1" dev=tmpfs ino=18393 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=fifo_file
Comment 3 Stephen Tweedie 2006-10-03 21:54:47 UTC 
Specific new binaries potentially needing policy are:

/usr/sbin/tapdisk: per-domain disk server for blktap domains
/usr/sbin/blktapctrl: persistent control daemon

and devices are:

/dev/xen/blktap0: control device
/dev/xen/blktap[1--255]: per-domain interface device
/dev/xen/tapctrl{read,write}[1--255]: named pipe nodes for tapdisk/blktapctrl
communication

tapdisk itself will need read/write access to Xen image files.
Comment 4 Daniel Walsh 2006-10-05 13:36:29 UTC 
Fixed in selinux-policy-2.3.18-3
Comment 5 Stephen Tweedie 2006-10-05 18:23:42 UTC 
Confirmed that blktapctrl boots, and that tapdisk is able to access and serve
files in /xen/.  Thanks!
Note You need to log in before you can comment on or make changes to this bug.