On Wed, 2013-04-17 at 17:49 +0800, bigclouds wrote:
hi,all
a qemu-kvm process and its disk(image file) have the same
MCS(s0:c111,c555). it express this process have access to this image.
i do not know the power to access its image file is the max or min?
if any other power this process(domain) has?how much?
i want to know the exact power a qemu-kvm process has besides access
its image file ,other kinds of files,dirs etc.
I do not fully understand your question and the information you provided
does not clarify the issues for me but:
Here you can find the Fedora MCS rules:
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs
To see what all types have assigned the mcs_contrained_type attribute:
seinfo -xamcs_constrained_type
my test case:
after start a guestVM(its disk xml ,cache='none' error_policy='stop'),
make some modification on its files and save them.
then go to hypervisor, modify the MCS of guestVM's image file.
1.i can read those files(cache=none)?it s hould not be so. why?
2.then modify files and save, the guestVM hang, it is paused on UI.
this is right qeum process can not write again. why this guestVM is
hang? and can not be resumed
3.look at audit info. denied { write } for pid=52162 comm="qemu-kvm".
that pid is 52162, is not my qemu-kvm's pid? why?
thanks so much.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux