On Wed, 2013-04-17 at 17:49 +0800, bigclouds wrote: > hi,all > a qemu-kvm process and its disk(image file) have the same > MCS(s0:c111,c555). it express this process have access to this image. > i do not know the power to access its image file is the max or min? > if any other power this process(domain) has?how much? > i want to know the exact power a qemu-kvm process has besides access > its image file ,other kinds of files,dirs etc. I do not fully understand your question and the information you provided does not clarify the issues for me but: Here you can find the Fedora MCS rules: https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/mcs To see what all types have assigned the mcs_contrained_type attribute: seinfo -xamcs_constrained_type > > my test case: > after start a guestVM(its disk xml ,cache='none' error_policy='stop'), > make some modification on its files and save them. > then go to hypervisor, modify the MCS of guestVM's image file. > 1.i can read those files(cache=none)?it s hould not be so. why? > 2.then modify files and save, the guestVM hang, it is paused on UI. > this is right qeum process can not write again. why this guestVM is > hang? and can not be resumed > 3.look at audit info. denied { write } for pid=52162 comm="qemu-kvm". > that pid is 52162, is not my qemu-kvm's pid? why? > > thanks so much. > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
