Re: [libvirt] I have no idea why the current version of libvirt works for anyone in enforcing mode.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/13/2009 06:19 AM, Daniel P. Berrange wrote:
On Thu, Mar 12, 2009 at 01:39:13PM -0400, Daniel J Walsh wrote:
Libvirt is executing qemu requiring it to execute pulseaudio which would
require the folowing permissions,

#============= svirt_t ==============
allow svirt_t admin_home_t:dir setattr;
allow svirt_t admin_home_t:file { read write };
allow svirt_t pulseaudio_port_t:tcp_socket name_connect;
allow svirt_t svirt_tmpfs_t:file read;
allow svirt_t user_tmpfs_t:file read;

Since qemu(svirt_t) is not allowed these permissions, pulseaudio crashes
and qemu dies.

I don't see it crashing - when I run with a guest with a sound device
attached, I see the AVC denials, and QEMU just carries on without a
active sound backend AFAICT.

I believe you need to run without sound if you are running as root.

We can't disable sound unconditonally for root, because not everyone
will be using SELinux so its still valid to allow sound cards. I think
the focus has to be on stopping QEMU from crashing. It might actually
be an SDL bug, rather than a QEMU bug, because I believe its SDL that
is responsible for opening the sound devices.

Daniel
How about if we check if you are running with svirt then don't execute the code. Since I do not want to deal with these avc messages. Either they will happen always and I have to dontaudit them in which case a compromised svirt attacking the /root directory would be dontaudited, or people are going to see avc's all the time.


--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]