Bug 433672 - qemu-kvm throws lots of AVCs running WinXP....
qemu-kvm throws lots of AVCs running WinXP....
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-20 14:37 EST by Tom London
Modified: 2008-02-26 16:39 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 16:39:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs from "qemu-kvm" of WinXP gtuest (14.34 KB, text/plain)
2008-02-20 14:38 EST, Tom London
no flags Details

  None (edit)
Description Tom London 2008-02-20 14:37:13 EST
Description of problem:
Running selinux-policy-targeted-3.2.8-2.fc9.noarch targeted/permissive, I get
the following running a WinXP image (AVCs attached):

#============= qemu_t ==============
allow qemu_t http_port_t:tcp_socket name_connect;
allow qemu_t inaddr_any_node_t:udp_socket node_bind;
allow qemu_t kerberos_port_t:tcp_socket name_connect;
allow qemu_t ldap_port_t:tcp_socket name_connect;
allow qemu_t port_t:tcp_socket name_connect;
allow qemu_t reserved_port_t:tcp_socket name_connect;
allow qemu_t self:udp_socket { write bind create read getattr };
allow qemu_t smbd_port_t:tcp_socket name_connect;

I suspect there will be more, as I "exercise" the WinXP guest.

What I did: ran "qemu-kvm -m 400 image", logged in to windows domain, started
outlook, started browser (IE, sigh).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.2.8-2.fc9.noarch

How reproducible:
Everytime

Steps to Reproduce:
1.  Start guest: qemu-kvm -m 400 image
2.  login to domain
3.  start Outlook, start browser
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom London 2008-02-20 14:38:16 EST
Created attachment 295443 [details]
AVCs from "qemu-kvm" of WinXP gtuest
Comment 2 Daniel Walsh 2008-02-20 16:36:52 EST
So I guess we need a boolean that says we are allowed to connect to anyport. 
This is interesting though.  Since we can begin to confine WinXP with
qemu/selinux.  If I want to write the policy equivalent of xguest for XP, I
would write a policy that runs qemu in a domain that is only allowed to connect
to the http ports/dns/ftp ports.

SELinux confining Windows...

Comment 3 Daniel Walsh 2008-02-20 16:40:08 EST
What kind of networking did you setup to get this?
Comment 4 Tom London 2008-02-20 16:45:53 EST
We'll have to call it SEWindows..... Wonder if they've already locked in a
trademark for that .... ;)
Comment 5 Tom London 2008-02-20 16:53:23 EST
Network setup..... I believe I'm using whatever is the default.

The XP guest thinks it is connected to 10.0.2.15

The host is running on 10.10.4.24

I don't think I've ever specified any "-net" options..... Thinks the device is a
RealTek rtl8139.

I presume it is NAT-ing, but not sure.
Comment 6 Daniel Walsh 2008-02-26 16:39:54 EST
allow_qemu_full_network boolean available in 

selinux-policy-3.3.1-3.fc9

Note You need to log in before you can comment on or make changes to this bug.