On 6/10/19 11:04 AM, Ondrej Mosnacek wrote: > On Thu, Jun 6, 2019 at 11:54 AM lejeczek <peljasz@xxxxxxxxxxx> wrote: >> On 06/06/2019 09:43, Ondrej Mosnacek wrote: >>> On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote: >>>> hi everyone >>>> >>>> I have this: >>>> >>>> virt_use_fusefs --> on >>>> virt_use_glusterd --> on >>>> >>>> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch. >>>> >>>> When I tell pacemaker to start a virt guest resource with xml config off >>>> a fuse mounted gluster vol I get a denial and audit2allow sees: >>>> >>>> allow virsh_t fusefs_t:dir search; >>>> >>>> Should above boolean be all I (pacemaker) need or I'm missing something? >>> Hm, there seems to be an inconsistency among the virt_use_*fs >>> booleans. On current Fedora Rawhide: >>> >>> $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq >>> virt_domain >>> $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq >>> fsdaemon_t >>> svirt_sandbox_domain >>> virsh_t >>> virt_domain >>> virtlogd_t >>> >>> So, the "virt" in virt_use_nfs has a much wider meaning than the >>> "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate >>> this? >>> >> Not on Centos, nope - virt_use_nfs - does not help neither, although it >> seems to cover broadly, I still get: > > No, enabling virt_use_nfs won't help you (it allows virt domains to > use NFS, not fusefs). I just pointed out that it covers more source > domains than virt_use_fusefs. I believe this is an oversight and the > virt_use_fusefs boolean should be fixed to cover the same set of > source domains as virt_use_nfs. Anyway, you should open a bug against > selinux-policy on RHEL/Fedora, so this is tracked and hopefully fixed > (please include a link to this conversation if you do so). > Agree with Ondrej here, this should be consolidated. Could you please create bugzilla ticket? Thanks, Lukas. >> >> $ semodule -DB >> >> $ ausearch -ts 10:51 | audit2allow >> >> >> #============= automount_t ============== >> allow automount_t mount_t:process { noatsecure rlimitinh siginh }; >> >> #============= glusterd_t ============== >> allow glusterd_t automount_t:fifo_file write; >> >> #============= virsh_t ============== >> allow virsh_t fusefs_t:dir search; >> >> $ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq >> rules: >> virsh_t >> virt_domain >> svirt_sandbox_domain >> virtd_t >> virsh_t >> fsdaemon_t >> virt_domain >> virtlogd_t >> virt_domain >> virsh_t >> fsdaemon_t >> virtd_t >> virt_domain >> svirt_sandbox_domain >> virtd_t >> fsdaemon_t >> virtlogd_t >> virtd_t >> svirt_sandbox_domain >> fsdaemon_t >> svirt_sandbox_domain >> virsh_t >> virt_domain >> >> _______________________________________________ >> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx