Bug 209187 - blktap doesn't play nice with SELinux policy
blktap doesn't play nice with SELinux policy
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks: FC6Blocker
  Show dependency treegraph
 
Reported: 2006-10-03 15:36 EDT by Jeremy Katz
Modified: 2007-11-30 17:11 EST (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-2.3.18-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-05 14:23:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeremy Katz 2006-10-03 15:36:38 EDT
blktap doesn't play nice with SELinux policy --

audit(1159875215.511:4): avc:  denied  { getattr } for  pid=2878
comm="blktapctrl" name="blktap0" dev=tmpfs ino=9630
scontext=system_u:system_r:xend_t:s0 tcon
text=system_u:object_r:device_t:s0 tclass=chr_file
audit(1159875215.511:5): avc:  denied  { read write } for  pid=2878
comm="blktapctrl" name="blktap0" dev=tmpfs ino=9630
scontext=system_u:system_r:xend_t:s0 t
context=system_u:object_r:device_t:s0 tclass=chr_file


For one thing, we probably need to have /dev/xen/blktap* labeled as xen_device_t
and blktapctrl running in a xen domain, but that's just kind of a first guess at
what's needed without actually setting anything up to use blktap yet.  Someone
using blktap needs to look closer at what else is needed.

And something has to be done about the AVCs for FC6 GA -- either by fixing
things to work with policy or going back to disable blktap entirely
Comment 2 Stephen Tweedie 2006-10-03 17:51:10 EDT
There are other avcs which occur if we actually run a live guest, living on an
image file in /xen/, with blktap:

audit(1159912115.732:27): avc:  denied  { ioctl } for  pid=3107
comm="blktapctrl" name="blktap0" dev=tmpfs ino=12119
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=chr_file

is the main one which gets in the way in enforcing mode, but in permissive mode,
I also get

audit(1159912197.022:44): avc:  denied  { mknod } for  pid=3107
comm="blktapctrl" capability=27 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:system_r:xend_t:s0 tclass=capability
audit(1159912197.022:45): avc:  denied  { create } for  pid=3107
comm="blktapctrl" name="tapctrlread1" scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=fifo_file
audit(1159912197.022:46): avc:  denied  { read write } for  pid=3107
comm="blktapctrl" name="tapctrlread1" dev=tmpfs ino=18393
scontext=system_u:system_r:xend_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=fifo_file
audit(1159912197.022:47): avc:  denied  { ioctl } for  pid=4994 comm="sh"
name="tapctrlread1" dev=tmpfs ino=18393 scontext=system_u:system_r:xend_t:s0
tcontext=system_u:object_r:device_t:s0 tclass=fifo_file
Comment 3 Stephen Tweedie 2006-10-03 17:54:47 EDT
Specific new binaries potentially needing policy are:

/usr/sbin/tapdisk: per-domain disk server for blktap domains
/usr/sbin/blktapctrl: persistent control daemon

and devices are:

/dev/xen/blktap0: control device
/dev/xen/blktap[1--255]: per-domain interface device
/dev/xen/tapctrl{read,write}[1--255]: named pipe nodes for tapdisk/blktapctrl
communication

tapdisk itself will need read/write access to Xen image files.
Comment 4 Daniel Walsh 2006-10-05 09:36:29 EDT
Fixed in selinux-policy-2.3.18-3
Comment 5 Stephen Tweedie 2006-10-05 14:23:42 EDT
Confirmed that blktapctrl boots, and that tapdisk is able to access and serve
files in /xen/.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.