[refpolicy] [PATCH 5/6] Adding dontaudit for qemu

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 5/6] Adding dontaudit for qemu
Date: Mon, 23 Apr 2012 08:28:08 -0400	[thread overview]
Message-ID: <4F954AD8.1050104@tresys.com> (raw)
In-Reply-To: <CAPzO=Nx+SrKNu3SDAp_dQn7cfJC3KqukFEbn3HbM63uOWfFz0w@mail.gmail.com>

On 04/21/12 12:12, Sven Vermeulen wrote:
> On Fri, Apr 20, 2012 at 10:12 PM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>>> +dontaudit qemu_t self:socket create;
>>
>> I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.
> 
> Ok, trying to figure that out now. No luck with just querying though:
> 
> Apr 21 17:53:04 hpl kernel: [90637.251881] type=1400
> audit(1335023584.573:457): avc:  granted  { create } for  pid=28083
> comm="qemu-system-x86" scontext=staff_u:sysadm_r:qemu_t
> tcontext=staff_u:sysadm_r:qemu_t tclass=socket
> 
> Doesn't give much. An lsof shows:
> 
> # lsof -p 28083
> qemu-syst 28083 swift    8u     unix 0x0000000000000000         0t0
> 80203 socket
> qemu-syst 28083 swift    9u     unix 0x0000000000000000         0t0
> 80204 /tmp/vde.28083-00003
> 
> but I don't know how to find out more about this socket. It is related
> to qemu's VDE networking virtualization (if I drop the "-net
> vde,vlan=0" I don't get the attempt to create a socket) but doesn't
> seem to be necessary.
> 
> /tmp/vde.28083-00003 is of type vde_tmp_t (cfr. patch/RFC regarding
> VDE support sent a while ago)
> 
> If anyone know of a good resource that I can read on debugging
> sockets, I'd love to hear about it.

The audit subsystem's messages might be more useful.  The last time something like this came around, I ended up looking at the code itself.  It shouldn't be too bad to grep through the code for socket() calls and see what the socket domain/type is.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com