selinux November 2015

selinux@lists.fedoraproject.org

18 participants
15 discussions

Sharing directory with Vagrant box as guest VM

by Tim Landscheidt

Hi, I want to set up a Vagrant box (https://www.mediawiki.org/wiki/MediaWiki-Vagrant) under Fe- dora 23 with vagrant-libvirt. Usually, this means cloning the Git repository to somewhere in my home directory and running "vagrant up". This produces the VM configuration ("virsh dumpxml"): | […] | <filesystem type='mount' accessmode='passthrough'> | <driver type='path' wrpolicy='immediate'/> | <source dir='/home/tim/src/mediawiki-vagrant/libvirt-test'/> | <target dir='vagrant-root'/> | <alias name='fs0'/> | <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/> | </filesystem> | <filesystem type='mount' accessmode='passthrough'> | <driver type='path' wrpolicy='immediate'/> | <source dir='/home/tim/src/mediawiki-vagrant/libvirt-test/logs'/> | <target dir='vagrant-logs'/> | <alias name='fs1'/> | <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> | </filesystem> | […] If the guest VM tries to read that with 9p, audit.log shows: | type=AVC msg=audit(1447019352.577:960): avc: denied { read } for pid=16166 comm="pool" name="libvirt-test" dev="dm-4" ino=11956343 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 | type=AVC msg=audit(1447019352.588:961): avc: denied { read } for pid=16166 comm="pool" name="logs" dev="dm-4" ino=11956472 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 | type=AVC msg=audit(1447019352.651:962): avc: denied { read } for pid=16166 comm="pool" name="libvirt-test" dev="dm-4" ino=11956343 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 | type=AVC msg=audit(1447019352.657:963): avc: denied { read } for pid=16166 comm="pool" name="logs" dev="dm-4" ino=11956472 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 (If reading would succeed, it would likely fail a short time later on writing.) Is there an existing solution for sharing a directory with a guest VM, e. g. perhaps a file context for such directories? Tim

8 years, 5 months

1
0
0 / 0

Re: SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)

by Moez Roy

On Tue, Nov 3, 2015 at 9:06 PM, Scott Schmit <i.grok(a)comcast.net> wrote: > On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote: >> The IPv6 updates are breaking stuff (and probably increasing the >> attack surface): >> >> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1 >> in /etc/sysctl.conf >> https://bugzilla.redhat.com/show_bug.cgi?id=1231946 >> >> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1 >> in /etc/sysctl.conf >> https://bugzilla.redhat.com/show_bug.cgi?id=1251762 > > Your bugs' subjects complain that software X is ignoring configuration for > software Y. That's expected for any X & Y where X != Y. In other > words, you shouldn't expect unbound and/or dnssec-triggerd to be looking > at *kernel* configuration settings. > > Looking at the bugs' bodies, it appears that because IPv6 isn't there, > some kernel module auto-load configuration is trying to auto-load IPv6 > and SELinux is prohibiting the action. That or the tool is explicitly > trying to load the module, but I rather doubt this. > > You note the SELinux policy alert but don't identify if this actually > breaks anything. The right answer could be as simple as changing the > SELinux policy to mark this transition/action as dontaudit (or just > ignore the audit message). > > Ah, a google search for `selinux "request-module"' leads me here: > https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to > agree with the above. > > -- > devel mailing list > devel(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Yes in this case it doesn't break anything if you just ignore the message. I am forwarding this to the SElinux list so hopefully they can add a rule if ipv6 is disabled in the grub config don't audit this message.

8 years, 5 months

1
0
0 / 0

CVE-2015-5602 and SELinux

by Miroslav Grepl

We wrote a blog post explaining how SELinux helps you with this sudo CVE. https://mgrepl.wordpress.com/2015/11/04/cve-2015-5602-and-selinux/ -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc.

8 years, 5 months

2
2
0 / 0

Homes and energy efficient!

by Tom London

8 years, 5 months

1
0
0 / 0

Odd Trick That Cuts Your Power Bill By 80%

by Tom London

8 years, 5 months

1
0
0 / 0

← Newer
1
2
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

selinux November 2015