Bug 509834 - sVirt changing file context impacts other access
Summary: sVirt changing file context impacts other access
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
: 508865 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-06 13:43 UTC by Gene Czarcinski
Modified: 2009-08-13 18:30 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-08-13 18:30:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gene Czarcinski 2009-07-06 13:43:54 UTC 
Description of problem:

The current implementation of sVirt impacts other process access.  For example, if a virtual guest defines an ISO image file which is also access by httpd, the file's context is changed from "public_content_t" to "virt_content_t" which makes that file no longer accessable by http.  This is wrong!

I suggest that there should be NO changing of file context!

Instead, sVirt should depend on the settings in the standard policy and any policy changes made with semanage.

Furthermore, any file with a context of "public_content_t" or "public_content_rw_t" should be accessible by a guest if it has been defined to that guest.

I am not sure what should be done with real devices such as /dev/sr0.

I also suggest that context 'nfs_t" should also be OK.

If file contexts are not changed, this also eliminates the problem of using read-only file systems.

This report replaces https://bugzilla.redhat.com/show_bug.cgi?id=508865 which I not consider to be a dup of this report.
Comment 1 Gene Czarcinski 2009-07-06 13:45:29 UTC 
*** Bug 508865 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2009-07-06 18:32:38 UTC 
svirt is designed to change the context of the image files and other devices that it will use.  If you want to allow httpd to share virtual image content then you need to write policy to allow it to read virtual images, or turn svirt off (not recommended.)  I could add a boolean to allow this share virtual content via httpd if you believe this will be real common.
Comment 3 Mark McLoughlin 2009-08-07 11:01:23 UTC 
(In reply to comment #2)
> I could add a boolean to allow this share virtual
> content via httpd if you believe this will be real common.  

So this would allow httpd access virt_content_t ?

Gene: would that work for you?

(Otherwise, from what dwalsh is saying, I think we should close this as WONTFIX)
Comment 4 Gene Czarcinski 2009-08-11 18:57:51 UTC 
I am satisfied with the way things work with the rawhide packages which have been made available for Fedora 11 (the preview set).

Reseting the context after use works for me.

It is not a matter of WONTFIX but more (IMHO) of BEENFIXED
Comment 5 Daniel Walsh 2009-08-12 19:33:16 UTC 
Gene what change are you referring too?
Comment 6 Gene Czarcinski 2009-08-13 17:49:08 UTC 
I was primarily concerned about ISO image files.

When I first started using qemu-kvm-libvirt, the context for the ISO file was changed and then left changed when the guest terminated or the ISO image file was disconnected.

I then started using the virt-preview set of packages when they appeared and, at that time, the context was reset to its "normal" value when the guest was done with that image.

I understand the need to change the context and, since I am only using these image files during install, I can live with the context change for that "brief" period of time.
Note You need to log in before you can comment on or make changes to this bug.