On Thu, Jun 6, 2019 at 11:54 AM lejeczek <peljasz@xxxxxxxxxxx> wrote:
> On 06/06/2019 09:43, Ondrej Mosnacek wrote:
> > On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote:
> >> hi everyone
> >>
> >> I have this:
> >>
> >> virt_use_fusefs --> on
> >> virt_use_glusterd --> on
> >>
> >> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
> >>
> >> When I tell pacemaker to start a virt guest resource with xml config off
> >> a fuse mounted gluster vol I get a denial and audit2allow sees:
> >>
> >> allow virsh_t fusefs_t:dir search;
> >>
> >> Should above boolean be all I (pacemaker) need or I'm missing something?
> > Hm, there seems to be an inconsistency among the virt_use_*fs
> > booleans. On current Fedora Rawhide:
> >
> > $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq
> > virt_domain
> > $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq
> > fsdaemon_t
> > svirt_sandbox_domain
> > virsh_t
> > virt_domain
> > virtlogd_t
> >
> > So, the "virt" in virt_use_nfs has a much wider meaning than the
> > "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate
> > this?
> >
> Not on Centos, nope - virt_use_nfs - does not help neither, although it
> seems to cover broadly, I still get:
No, enabling virt_use_nfs won't help you (it allows virt domains to
use NFS, not fusefs). I just pointed out that it covers more source
domains than virt_use_fusefs. I believe this is an oversight and the
virt_use_fusefs boolean should be fixed to cover the same set of
source domains as virt_use_nfs. Anyway, you should open a bug against
selinux-policy on RHEL/Fedora, so this is tracked and hopefully fixed
(please include a link to this conversation if you do so).
>
> $ semodule -DB
>
> $ ausearch -ts 10:51 | audit2allow
>
>
> #============= automount_t ==============
> allow automount_t mount_t:process { noatsecure rlimitinh siginh };
>
> #============= glusterd_t ==============
> allow glusterd_t automount_t:fifo_file write;
>
> #============= virsh_t ==============
> allow virsh_t fusefs_t:dir search;
>
> $ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq
> rules:
> virsh_t
> virt_domain
> svirt_sandbox_domain
> virtd_t
> virsh_t
> fsdaemon_t
> virt_domain
> virtlogd_t
> virt_domain
> virsh_t
> fsdaemon_t
> virtd_t
> virt_domain
> svirt_sandbox_domain
> virtd_t
> fsdaemon_t
> virtlogd_t
> virtd_t
> svirt_sandbox_domain
> fsdaemon_t
> svirt_sandbox_domain
> virsh_t
> virt_domain
>
> _______________________________________________
> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
