On Tue, Jun 21, 2022 at 10:42:39AM +0200, Renaud Métrich wrote: > Hi there, > > I'm the BZ reporter. > > I think the safe solution is to provide something similar to what was done > for vmtools: have a context switching to become sort of "unconfined" domain. > > This context switch has to happen only the executor and we already have a > solution, I documented it in the BZ. > > I don't think having an additional boolean is necessary, unless we want to > restrict the commands the guest can execute. If we allow QGA to execute arbitrary commands, running those commands unconfined_t, then what is the point of having any SELinux policy for QGA at all. It can just execute "/bin/sh" or "/bin/perl", passing any script commands it wants, having them run as unconfined_t and thus escape all SELinux confinement of QGA. I didn't realize that we in fact already allowed runing any command labelled bin_t. That already makes the QGA policy useless as a security measure and should be addressed IMHO by putting that existing rul;e behind a boolean, defaulting to disabled. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure