822594 – [6.4 FEAT] SELinux updates for QEMU sandboxing with seccomp

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 822594 - [6.4 FEAT] SELinux updates for QEMU sandboxing with seccomp

Summary: [6.4 FEAT] SELinux updates for QEMU sandboxing with seccomp

Keywords:
Status:	CLOSED DUPLICATE of bug 822593
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.4
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	6.4
Assignee:	Paul Moore
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	745944
TreeView+	depends on / blocked

Reported:	2012-05-17 15:22 UTC by IBM Bug Proxy
Modified:	2012-08-21 15:43 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-21 18:56:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	73755	0	None	None	None	Never

Description IBM Bug Proxy 2012-05-17 15:22:18 UTC

1. Feature Overview:
Feature Id: [73755]
a. Name of Feature: [6.4 FEAT] SELinux updates for QEMU sandboxing with seccomp
b. Feature Description

This feature will provide any required SELinux policy support on top of QEMU seccomp sandboxing support.

QEMU support will be provided to limit QEMU to only the system calls that it
requires.  New seccomp Kernel functionality is intended to be used to declare
the whitelisted syscalls and syscall parameters.  This will limit QEMU's
syscall footprint, and therefore the potential Kernel attack surface.  The idea
is that if an attacker were to execute abitrary code, they would only be able
to use the whitelisted syscalls.

2. Feature Details:
Sponsor: LTC Security
Architectures:  

Arch Specificity: both
Affects Kernel Modules: No
Delivery Mechanism: Direct from Community
Category: other
Request Type: Package - Version Update
d. Upstream Acceptance: Not Started
Sponsor Priority P2
f. Severity: normal
IBM Confidential: No
Code Contribution: unsure
g. Component Version Target: ---

3. Business Case
This feature will further increase the security of the KVM hypervisor by tightening QEMU's SELinux policy in addition to the limiting the potential Kernel attack surface within QEMU.

4. Primary contact at Red Hat:
John Jarvis, jjarvis

5. Primary contacts at Partner:
Project Management Contact:
Stephanie A. Glass, sglass.com

Technical contact(s):
Corey C. Bryant, bryntcor.com

Comment 2 Paul Moore 2012-05-21 16:42:59 UTC

The QEMU sandboxing effort with seccomp should not require any SELinux policy modifications to function.  If any changes are necessary they should be treated as bugs against the sandboxing code and/or SELinux policy.

I think the best approach here is to close this feature request and track any issues that arise directly in BZ 822593.  Let me know if you have any concerns about closing this request.

Comment 3 IBM Bug Proxy 2012-05-21 17:10:27 UTC

------- Comment From bryntcor.com 2012-05-21 17:07 EDT-------
(In reply to comment #5)
> The QEMU sandboxing effort with seccomp should not require any SELinux
> policy modifications to function.  If any changes are necessary they should
> be treated as bugs against the sandboxing code and/or SELinux policy.
>
> I think the best approach here is to close this feature request and track
> any issues that arise directly in BZ 822593.  Let me know if you have any
> concerns about closing this request.

I agree, this BZ can be closed.

Comment 4 Paul Moore 2012-05-21 18:56:35 UTC


*** This bug has been marked as a duplicate of bug 822593 ***

Note You need to log in before you can comment on or make changes to this bug.