Re: New QEMU daemon for persistent reservations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/11/2017 13:57, Daniel P. Berrange wrote:
>> Got it.  My problem here is that ioctl permission might be too strict.
>> One use case for the helper is to bypass the ioctl permission, and only
>> grant SCSI passthrough access for the specific case of persistent
>> reservation commands.  Would it make sense to also allow e.g. "lock"
>> (and would it pass the SELinux policy)?
> When I write "...ioctl perm..." I use that just as a short cut to represent
> whatever SELinux access vector would be checked if QEMU were to do the SCSI
> PR calls itself.  The access vector permission bits are defined in the policy
> file, and in the auto-generated header file /usr/include/selinux/av_permissions.h
> 
> AFAICT, there's only a coarse COMMON_FILE_IOCTL access vector defined, nothing
> on the level of individual ioctl commands. So, yes, the MAC policy check
> would allow other ioctl commands to be run, aside from those required for
> persistent reservations. We just have to rely on the PR helper code for
> that restriction.

But can you also test _more_ permissions if you want?  So if QEMU passed
to the helper a file for which it has "lock" but not "ioctl" access,
would it make sense for the helper to let it through?  Together with the
socket MAC, this should be precise enough.

Thanks,

Paolo

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux