On 06/06/2019 09:43, Ondrej Mosnacek wrote: > On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote: >> hi everyone >> >> I have this: >> >> virt_use_fusefs --> on >> virt_use_glusterd --> on >> >> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch. >> >> When I tell pacemaker to start a virt guest resource with xml config off >> a fuse mounted gluster vol I get a denial and audit2allow sees: >> >> allow virsh_t fusefs_t:dir search; >> >> Should above boolean be all I (pacemaker) need or I'm missing something? > Hm, there seems to be an inconsistency among the virt_use_*fs > booleans. On current Fedora Rawhide: > > $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq > virt_domain > $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq > fsdaemon_t > svirt_sandbox_domain > virsh_t > virt_domain > virtlogd_t > > So, the "virt" in virt_use_nfs has a much wider meaning than the > "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate > this? > Even if I choose more "friendly" location for xml config, eg.: /var/lib/pacemaker/HA-work9-win10.xml I still need this: --- require { type cluster_var_lib_t; type virsh_t; type numad_t; type virtd_lxc_t; class msgq { write }; class msg { send }; class dir search; class file { read open }; } #============= virsh_t ============== allow virsh_t cluster_var_lib_t:dir search; allow virsh_t cluster_var_lib_t:file read; allow virsh_t cluster_var_lib_t:file open; vir #============= numad_t ============== allow numad_t virtd_lxc_t:msgq write; allow numad_t virtd_lxc_t:msg send; --- for pacemaker to be able to start, and that I'm not sure is complete. It would be great have a boolean(s) which would make it all work - pacemaker manage virt domains. many thanks, L.
Attachment:
pEpkey.asc
Description: application/pgp-keys
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx