On 06/06/2019 09:43, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz(a)yahoo.co.uk>
wrote:
> hi everyone
>
> I have this:
>
> virt_use_fusefs --> on
> virt_use_glusterd --> on
>
> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
>
> When I tell pacemaker to start a virt guest resource with xml config off
> a fuse mounted gluster vol I get a denial and audit2allow sees:
>
> allow virsh_t fusefs_t:dir search;
>
> Should above boolean be all I (pacemaker) need or I'm missing something?
Hm, there seems to be an inconsistency among the virt_use_*fs
booleans. On current Fedora Rawhide:
$ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq
virt_domain
$ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq
fsdaemon_t
svirt_sandbox_domain
virsh_t
virt_domain
virtlogd_t
So, the "virt" in virt_use_nfs has a much wider meaning than the
"virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate
this?
Not on Centos, nope - virt_use_nfs - does not help neither, although it
seems to cover broadly, I still get:
$ semodule -DB
$ ausearch -ts 10:51 | audit2allow
#============= automount_t ==============
allow automount_t mount_t:process { noatsecure rlimitinh siginh };
#============= glusterd_t ==============
allow glusterd_t automount_t:fifo_file write;
#============= virsh_t ==============
allow virsh_t fusefs_t:dir search;
$ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq
rules:
virsh_t
virt_domain
svirt_sandbox_domain
virtd_t
virsh_t
fsdaemon_t
virt_domain
virtlogd_t
virt_domain
virsh_t
fsdaemon_t
virtd_t
virt_domain
svirt_sandbox_domain
virtd_t
fsdaemon_t
virtlogd_t
virtd_t
svirt_sandbox_domain
fsdaemon_t
svirt_sandbox_domain
virsh_t
virt_domain