Re: a boolean which does not work?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/06/2019 09:43, Ondrej Mosnacek wrote:
> On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote:
>> hi everyone
>>
>> I have this:
>>
>> virt_use_fusefs --> on
>> virt_use_glusterd --> on
>>
>> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
>>
>> When I tell pacemaker to start a virt guest resource with xml config off
>> a fuse mounted gluster vol I get a denial and audit2allow sees:
>>
>> allow virsh_t fusefs_t:dir search;
>>
>> Should above boolean be all I (pacemaker) need or I'm missing something?
> Hm, there seems to be an inconsistency among the virt_use_*fs
> booleans. On current Fedora Rawhide:
>
> $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq
> virt_domain
> $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq
> fsdaemon_t
> svirt_sandbox_domain
> virsh_t
> virt_domain
> virtlogd_t
>
> So, the "virt" in virt_use_nfs has a much wider meaning than the
> "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate
> this?
>
Not on Centos, nope - virt_use_nfs - does not help neither, although it
seems to cover broadly, I still get:

$ semodule -DB

$ ausearch -ts 10:51 | audit2allow 
 
 
#============= automount_t ==============
allow automount_t mount_t:process { noatsecure rlimitinh siginh };
 
#============= glusterd_t ==============
allow glusterd_t automount_t:fifo_file write;
 
#============= virsh_t ==============
allow virsh_t fusefs_t:dir search;

$ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq
rules:
virsh_t
virt_domain
svirt_sandbox_domain
virtd_t
virsh_t
fsdaemon_t
virt_domain
virtlogd_t
virt_domain
virsh_t
fsdaemon_t
virtd_t
virt_domain
svirt_sandbox_domain
virtd_t
fsdaemon_t
virtlogd_t
virtd_t
svirt_sandbox_domain
fsdaemon_t
svirt_sandbox_domain
virsh_t
virt_domain

Attachment: pEpkey.asc
Description: application/pgp-keys

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux