virt_use_sysfs

virt_use_sysfs

[Russell Coker]

Does it make sense to not have this enabled by default?  Getting meminfo from 
sysfs seems like a very reasonable and useful thing for a virtualisation 
system to do.  Not allowing that doesn't seem to give any benefit but does 
have potential for serious problems if things even work like that.

#!!!! This avc can be allowed using one of the these booleans:
#     virt_use_sysfs, virt_use_usb
allow svirt_t sysfs_t:file read;
root@sevm:~/pol# setsebool ^C
root@sevm:~/pol# grep sysfs_t /var/log/audit/audit.log
type=AVC msg=audit(1594988146.629:317649): avc:  denied  { read } for  
pid=430606 comm="qemu-system-x86" name="meminfo" dev="sysfs" ino=1777 
scontext=system_u:system_r:svirt_t:s0:c518,c853 
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317650): avc:  denied  { read } for  
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 
scontext=system_u:system_r:svirt_t:s0:c518,c853 
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317651): avc:  denied  { read } for  
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 
scontext=system_u:system_r:svirt_t:s0:c518,c853 
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: virt_use_sysfs

[Chris PeBenito]

On 7/17/20 8:20 AM, Russell Coker wrote:
> Does it make sense to not have this enabled by default?  Getting meminfo from
> sysfs seems like a very reasonable and useful thing for a virtualisation
> system to do.  Not allowing that doesn't seem to give any benefit but does
> have potential for serious problems if things even work like that.

Perhaps the answer is to unconditionally allow reading of sysfs instead.  Then 
writes to sysfs would still be conditional and disabled by default.

-- 
Chris PeBenito