Re: a boolean which does not work?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/06/2019 09:43, Ondrej Mosnacek wrote:
> On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote:
>> hi everyone
>>
>> I have this:
>>
>> virt_use_fusefs --> on
>> virt_use_glusterd --> on
>>
>> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
>>
>> When I tell pacemaker to start a virt guest resource with xml config off
>> a fuse mounted gluster vol I get a denial and audit2allow sees:
>>
>> allow virsh_t fusefs_t:dir search;
>>
>> Should above boolean be all I (pacemaker) need or I'm missing something?
> Hm, there seems to be an inconsistency among the virt_use_*fs
> booleans. On current Fedora Rawhide:
>
> $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq
> virt_domain
> $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq
> fsdaemon_t
> svirt_sandbox_domain
> virsh_t
> virt_domain
> virtlogd_t
>
> So, the "virt" in virt_use_nfs has a much wider meaning than the
> "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate
> this?
>
Even if I choose more "friendly" location for xml config, eg.:
/var/lib/pacemaker/HA-work9-win10.xml

I still need this:

---

require {
  type cluster_var_lib_t;
  type virsh_t;
  type numad_t;
  type virtd_lxc_t;
  class msgq { write };
  class msg { send };
  class dir search;
  class file { read open };
}
 
#============= virsh_t ==============
allow virsh_t cluster_var_lib_t:dir search;
allow virsh_t cluster_var_lib_t:file read;
allow virsh_t cluster_var_lib_t:file open;
 vir
#============= numad_t ==============
allow numad_t virtd_lxc_t:msgq write;
allow numad_t virtd_lxc_t:msg send;
---

for pacemaker to be able to start, and that I'm not sure is complete.

It would be great have a boolean(s) which would make it all work -
pacemaker manage virt domains.

many thanks, L.

Attachment: pEpkey.asc
Description: application/pgp-keys

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux