Sharing directory with Vagrant box as guest VM
by Tim Landscheidt
Hi,
I want to set up a Vagrant box
(https://www.mediawiki.org/wiki/MediaWiki-Vagrant) under Fe-
dora 23 with vagrant-libvirt. Usually, this means cloning
the Git repository to somewhere in my home directory and
running "vagrant up". This produces the VM configuration
("virsh dumpxml"):
| […]
| <filesystem type='mount' accessmode='passthrough'>
| <driver type='path' wrpolicy='immediate'/>
| <source dir='/home/tim/src/mediawiki-vagrant/libvirt-test'/>
| <target dir='vagrant-root'/>
| <alias name='fs0'/>
| <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
| </filesystem>
| <filesystem type='mount' accessmode='passthrough'>
| <driver type='path' wrpolicy='immediate'/>
| <source dir='/home/tim/src/mediawiki-vagrant/libvirt-test/logs'/>
| <target dir='vagrant-logs'/>
| <alias name='fs1'/>
| <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
| </filesystem>
| […]
If the guest VM tries to read that with 9p, audit.log shows:
| type=AVC msg=audit(1447019352.577:960): avc: denied { read } for pid=16166 comm="pool" name="libvirt-test" dev="dm-4" ino=11956343 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1447019352.588:961): avc: denied { read } for pid=16166 comm="pool" name="logs" dev="dm-4" ino=11956472 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1447019352.651:962): avc: denied { read } for pid=16166 comm="pool" name="libvirt-test" dev="dm-4" ino=11956343 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1447019352.657:963): avc: denied { read } for pid=16166 comm="pool" name="logs" dev="dm-4" ino=11956472 scontext=system_u:system_r:svirt_tcg_t:s0:c325,c639 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
(If reading would succeed, it would likely fail a short time
later on writing.)
Is there an existing solution for sharing a directory with a
guest VM, e. g. perhaps a file context for such directories?
Tim
8 years, 5 months
Re: SELinux & disabled IPv6 (was: Re: Fedora IPv6 testing and improvements - request for ideas)
by Moez Roy
On Tue, Nov 3, 2015 at 9:06 PM, Scott Schmit <i.grok(a)comcast.net> wrote:
> On Tue, Nov 03, 2015 at 09:50:53AM -0800, Moez Roy wrote:
>> The IPv6 updates are breaking stuff (and probably increasing the
>> attack surface):
>>
>> Bug 1231946 - unbound-anchor ignores net.ipv6.conf.all.disable_ipv6=1
>> in /etc/sysctl.conf
>> https://bugzilla.redhat.com/show_bug.cgi?id=1231946
>>
>> Bug 1251762 - dnssec-triggerd ignores net.ipv6.conf.all.disable_ipv6=1
>> in /etc/sysctl.conf
>> https://bugzilla.redhat.com/show_bug.cgi?id=1251762
>
> Your bugs' subjects complain that software X is ignoring configuration for
> software Y. That's expected for any X & Y where X != Y. In other
> words, you shouldn't expect unbound and/or dnssec-triggerd to be looking
> at *kernel* configuration settings.
>
> Looking at the bugs' bodies, it appears that because IPv6 isn't there,
> some kernel module auto-load configuration is trying to auto-load IPv6
> and SELinux is prohibiting the action. That or the tool is explicitly
> trying to load the module, but I rather doubt this.
>
> You note the SELinux policy alert but don't identify if this actually
> breaks anything. The right answer could be as simple as changing the
> SELinux policy to mark this transition/action as dontaudit (or just
> ignore the audit message).
>
> Ah, a google search for `selinux "request-module"' leads me here:
> https://bugzilla.redhat.com/show_bug.cgi?id=527936 which appears to
> agree with the above.
>
> --
> devel mailing list
> devel(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Yes in this case it doesn't break anything if you just ignore the
message. I am forwarding this to the SElinux list so hopefully they
can add a rule if ipv6 is disabled in the grub config don't audit this
message.
8 years, 5 months