On Tue, Jan 14, 2020 at 11:44 AM Gionatan Danti <g.danti(a)assyoma.it> wrote:
On 14/01/20 10:37, Ondrej Mosnacek wrote:
> Hi,
> When you access a path, you usually need only basic permissions
> (getattr, search, ...) for the parent components and the
> read/write/execute/... permissions (depending on what the service
> wants to do with the file) are only checked against the label of the
> file itself. Chances are that all/most domains already have
> permissions to traverse mnt_t directories, so it is likely that you
> won't need any additional permissions. But best to try running the
> service and see if you get any denials :)
I'll do, thanks.
As a side note, how can I check all permissions of a specific domains
(ie: libvirt in this case)?
You can use the sesearch tool (from setools-console package). E.g.:
sesearch -A -s virtd_t
will show you all allow rules with "virtd_t" as the source type. Or:
sesearch -A -s virtd_t -t mnt_t
will show all allow rules with "virtd_t" as source type and "mnt_t"
as
target type. As usual, see the man page for more options.
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.