On 6/10/19 11:04 AM, Ondrej Mosnacek wrote:
> On Thu, Jun 6, 2019 at 11:54 AM lejeczek <peljasz@xxxxxxxxxxx> wrote:
>> On 06/06/2019 09:43, Ondrej Mosnacek wrote:
>>> On Thu, Jun 6, 2019 at 10:30 AM lejeczek <peljasz@xxxxxxxxxxx> wrote:
>>>> hi everyone
>>>>
>>>> I have this:
>>>>
>>>> virt_use_fusefs --> on
>>>> virt_use_glusterd --> on
>>>>
>>>> on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
>>>>
>>>> When I tell pacemaker to start a virt guest resource with xml config off
>>>> a fuse mounted gluster vol I get a denial and audit2allow sees:
>>>>
>>>> allow virsh_t fusefs_t:dir search;
>>>>
>>>> Should above boolean be all I (pacemaker) need or I'm missing something?
>>> Hm, there seems to be an inconsistency among the virt_use_*fs
>>> booleans. On current Fedora Rawhide:
>>>
>>> $ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq
>>> virt_domain
>>> $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq
>>> fsdaemon_t
>>> svirt_sandbox_domain
>>> virsh_t
>>> virt_domain
>>> virtlogd_t
>>>
>>> So, the "virt" in virt_use_nfs has a much wider meaning than the
>>> "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate
>>> this?
>>>
>> Not on Centos, nope - virt_use_nfs - does not help neither, although it
>> seems to cover broadly, I still get:
>
> No, enabling virt_use_nfs won't help you (it allows virt domains to
> use NFS, not fusefs). I just pointed out that it covers more source
> domains than virt_use_fusefs. I believe this is an oversight and the
> virt_use_fusefs boolean should be fixed to cover the same set of
> source domains as virt_use_nfs. Anyway, you should open a bug against
> selinux-policy on RHEL/Fedora, so this is tracked and hopefully fixed
> (please include a link to this conversation if you do so).
>
Agree with Ondrej here, this should be consolidated.
Could you please create bugzilla ticket?
Thanks,
Lukas.
>>
>> $ semodule -DB
>>
>> $ ausearch -ts 10:51 | audit2allow
>>
>>
>> #============= automount_t ==============
>> allow automount_t mount_t:process { noatsecure rlimitinh siginh };
>>
>> #============= glusterd_t ==============
>> allow glusterd_t automount_t:fifo_file write;
>>
>> #============= virsh_t ==============
>> allow virsh_t fusefs_t:dir search;
>>
>> $ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq
>> rules:
>> virsh_t
>> virt_domain
>> svirt_sandbox_domain
>> virtd_t
>> virsh_t
>> fsdaemon_t
>> virt_domain
>> virtlogd_t
>> virt_domain
>> virsh_t
>> fsdaemon_t
>> virtd_t
>> virt_domain
>> svirt_sandbox_domain
>> virtd_t
>> fsdaemon_t
>> virtlogd_t
>> virtd_t
>> svirt_sandbox_domain
>> fsdaemon_t
>> svirt_sandbox_domain
>> virsh_t
>> virt_domain
>>
>> _______________________________________________
>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
>
>
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
