On Tue, Apr 06, 2021 at 06:57:27PM +0200, Ondrej Mosnacek wrote: > Hi all, > > Kernel 5.12 added support to SELinux for controlling access to the > userfaultfd interface [1][2] and we'd like to implement this in > Fedora's selinux-policy. However, once we add the corresponding class > to the policy, all SELinux domains for which we don't add the > appropriate rules will have any usage of userfaultfd(2) denied. > > Therefore, we would like to identify as many users of this syscall as > possible before we make that change, so that we can add and test all > the needed rules in one go, minimizing the amount of denials found > after the fact. My understanding is that userfaultfd(2) doesn't have > many users among system services, so it should be possible to catch > most/all of them in advance. > > So if you know that your (or any other) Fedora component uses > userfaultfd(2), please let us know. AFAIK, at least QEMU most likely > uses it, so we'll have that one on our radar, but we'd like to know if > there are any other programs/services we need to cover. Yes, QEMU, uses userfaultfd(2) for its post-copy live migration feature, so we'll need that allowed in the svirt_t / svirt_tcg_t types. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
