On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote: > > hi everyone > > I have this: > > virt_use_fusefs --> on > virt_use_glusterd --> on > > on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch. > > When I tell pacemaker to start a virt guest resource with xml config off > a fuse mounted gluster vol I get a denial and audit2allow sees: > > allow virsh_t fusefs_t:dir search; > > Should above boolean be all I (pacemaker) need or I'm missing something? Hm, there seems to be an inconsistency among the virt_use_*fs booleans. On current Fedora Rawhide: $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq virt_domain $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq fsdaemon_t svirt_sandbox_domain virsh_t virt_domain virtlogd_t So, the "virt" in virt_use_nfs has a much wider meaning than the "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate this? -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
