On Tue, Jun 21, 2022 at 10:42:39AM +0200, Renaud Métrich wrote:
Hi there,
I'm the BZ reporter.
I think the safe solution is to provide something similar to what was done
for vmtools: have a context switching to become sort of "unconfined" domain.
This context switch has to happen only the executor and we already have a
solution, I documented it in the BZ.
I don't think having an additional boolean is necessary, unless we want to
restrict the commands the guest can execute.
If we allow QGA to execute arbitrary commands, running those commands
unconfined_t, then what is the point of having any SELinux policy
for QGA at all. It can just execute "/bin/sh" or "/bin/perl", passing
any script commands it wants, having them run as unconfined_t and thus
escape all SELinux confinement of QGA.
I didn't realize that we in fact already allowed runing any command
labelled bin_t. That already makes the QGA policy useless as a security
measure and should be addressed IMHO by putting that existing rul;e
behind a boolean, defaulting to disabled.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|