xen, selinux, FC5

Stephen Smalley sds at tycho.nsa.gov
Fri Oct 13 16:39:27 UTC 2006 

On Fri, 2006-10-13 at 17:25 +0100, Robin Bowes wrote:
> Stephen Smalley wrote:
> > On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
> >> Stephen Smalley wrote:
> >>> The assertion is to prevent accidental granting of read access to a
> >>> raw disk device.  Is that truly required here?
> >> Probably - the root disk of the guest O/S instance is an lvm partition,
> >> e.g. /dev/vg01/lv_guest
> >>
> >>> To allow it, you need to use the interface for it, e.g. 
> >>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
> >>> kernel/storage.if. In addition to allowing the permission, it adds a
> >>> type attribute to the type that excludes from the assertion.
> >> So, what would that look like in the policy file?
> > 
> > If you build using the devel makefile (e.g. make
> > -f /usr/share/selinux/devel/Makefile or copy it over to where you are
> > working on your module), then you can use the interface as I described,
> > i.e. just put
> > 	storage_raw_read_fixed_disk(xm_t)
> > in your .te file.
> > 
> > That Makefile will pull in the headers and expand it properly.
> > Should handle the checkmodule and semodule_package side of things,
> > leaving you with just running semodule -i to install it once built.
> 
> I'm actually doing this:
> 
> Use audit2allow to identify AVC denied msgs:
> 
>   audit2allow -M local -l -i /var/log/audit/audit.log
> 
> Copy the contents of the local.te file produced by the command to xen.te
> 
> Compile and install the policy like this:
> 
> export SEAPP=xen
> checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
> semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
> semodule -i ${SEAPP}.pp
> 
> Will "storage_raw_read_fixed_disk(xm_t)" fit into the class/type/role
> format used in the .te files? Or do I need to do something different?

You need to do something different if you want to use refpolicy
interfaces (which are presently m4 macros, but will eventually be first
class constructs in the language that will be handled at link time);
storage_raw_read_fixed_disk() is such an interface.  The easiest thing
to do is to use the devel Makefile.  Instead of manually running
checkmodule and semodule_package, you just do:
	mkdir xen
	cp xen.te xen/
	cd xen
	make -f /usr/share/selinux/devel/Makefile

The Makefile will then handle pulling in the refpolicy interface
headers, applying m4, running checkmodule on the result, and running
semodule_package, leaving you with a xen.pp file that you can install.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list