On 6/10/19 11:04 AM, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 11:54 AM lejeczek <peljasz(a)yahoo.co.uk>
wrote:
> On 06/06/2019 09:43, Ondrej Mosnacek wrote:
>> On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz(a)yahoo.co.uk> wrote:
>>> hi everyone
>>>
>>> I have this:
>>>
>>> virt_use_fusefs --> on
>>> virt_use_glusterd --> on
>>>
>>> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
>>>
>>> When I tell pacemaker to start a virt guest resource with xml config off
>>> a fuse mounted gluster vol I get a denial and audit2allow sees:
>>>
>>> allow virsh_t fusefs_t:dir search;
>>>
>>> Should above boolean be all I (pacemaker) need or I'm missing something?
>> Hm, there seems to be an inconsistency among the virt_use_*fs
>> booleans. On current Fedora Rawhide:
>>
>> $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq
>> virt_domain
>> $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq
>> fsdaemon_t
>> svirt_sandbox_domain
>> virsh_t
>> virt_domain
>> virtlogd_t
>>
>> So, the "virt" in virt_use_nfs has a much wider meaning than the
>> "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate
>> this?
>>
> Not on Centos, nope - virt_use_nfs - does not help neither, although it
> seems to cover broadly, I still get:
No, enabling virt_use_nfs won't help you (it allows virt domains to
use NFS, not fusefs). I just pointed out that it covers more source
domains than virt_use_fusefs. I believe this is an oversight and the
virt_use_fusefs boolean should be fixed to cover the same set of
source domains as virt_use_nfs. Anyway, you should open a bug against
selinux-policy on RHEL/Fedora, so this is tracked and hopefully fixed
(please include a link to this conversation if you do so).
Agree with Ondrej here, this should be consolidated.
Could you please create bugzilla ticket?
Thanks,
Lukas.
>
> $ semodule -DB
>
> $ ausearch -ts 10:51 | audit2allow
>
>
> #============= automount_t ==============
> allow automount_t mount_t:process { noatsecure rlimitinh siginh };
>
> #============= glusterd_t ==============
> allow glusterd_t automount_t:fifo_file write;
>
> #============= virsh_t ==============
> allow virsh_t fusefs_t:dir search;
>
> $ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq
> rules:
> virsh_t
> virt_domain
> svirt_sandbox_domain
> virtd_t
> virsh_t
> fsdaemon_t
> virt_domain
> virtlogd_t
> virt_domain
> virsh_t
> fsdaemon_t
> virtd_t
> virt_domain
> svirt_sandbox_domain
> virtd_t
> fsdaemon_t
> virtlogd_t
> virtd_t
> svirt_sandbox_domain
> fsdaemon_t
> svirt_sandbox_domain
> virsh_t
> virt_domain
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.