On Tuesday 30 March 2010 10:45:33 am Daniel J Walsh wrote: > Paul you are suggesting that I write a MLS rule that says > > svirt_t:ANYLEVEL can talk to svirt_t:ANYLEVEL over unix domain sockets. > > Which would allow > > svirt_t:s0 to talk to svirt_t:s1 Which seems very broken to me. Well, based on the domains that were reported earlier in the thread ... ># ps -eZ | grep virt >system_u:system_r:virtd_t:s0-s15:c0.c1023 27344 ? 05:34:47 libvirtd >system_u:system_r:svirt_t:s0:c1 28549 ? 00:00:01 qemu-kvm ... I think you just need to write policy that allows "virtd_t:ANYLEVEL" and "svirtd_t:ANYLEVEL" to communicate; you shouldn't need to allow "svirt_t:ANYLEVEL" to communicate with "svirt_t" since only qemu-kvm is running as "svirt_t" and you are trying to get qemu-kvm and libvirtd to talk. It is also worth pointing out that you don't need to use MLS constraints that completely disregard the MLS label, you can do some MLS label bounding, e.g. mlsnetwriteranged and mlsnetwritetoclr. Also, feel free to suggest patches to the unix_socket MLS constraints, I'm not convinced they need to use the existing network socket constraints. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
