Monitoring disk storage labeled with svirt_image_t
Dominick Grift
dominick.grift at gmail.com
Fri Nov 15 14:34:51 UTC 2013
On Fri, 2013-11-15 at 15:02 +0100, Gabriele Pohl wrote:
> Hi,
>
> I use Munin plugin diskwatch to monitor a KVM-Host
> and am getting AVC denials at access to logical volumes
> labeled with type "svirt_image_t"
>
>snip<
> Should I really change the label or will that make problems for qemu?
> Is it ok to grant access privileges to munin_disk_plugin_t ?
>
No, you should not change the label as setroubleshoot suggested.
> @drjohnson1: Will you then please add the following rules to SELinux
> policy of munin-node:
>
> --------------------------------
> module diskwatch-pol 1.0;
>
> require {
> type svirt_image_t;
> type munin_disk_plugin_t;
> class blk_file getattr;
> }
>
> #============= munin_disk_plugin_t ==============
> allow munin_disk_plugin_t svirt_image_t:blk_file getattr;
> --------------------------------
>
In theory you should add a rule like the above yes, but it is probably
not enough
> Thanks for your advice and kind regards,
>
> Gabriele
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list