* virt_use_sysfs
@ 2020-07-17 12:20 Russell Coker
2020-07-18 12:44 ` virt_use_sysfs Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2020-07-17 12:20 UTC (permalink / raw)
To: selinux-refpolicy
Does it make sense to not have this enabled by default? Getting meminfo from
sysfs seems like a very reasonable and useful thing for a virtualisation
system to do. Not allowing that doesn't seem to give any benefit but does
have potential for serious problems if things even work like that.
#!!!! This avc can be allowed using one of the these booleans:
# virt_use_sysfs, virt_use_usb
allow svirt_t sysfs_t:file read;
root@sevm:~/pol# setsebool ^C
root@sevm:~/pol# grep sysfs_t /var/log/audit/audit.log
type=AVC msg=audit(1594988146.629:317649): avc: denied { read } for
pid=430606 comm="qemu-system-x86" name="meminfo" dev="sysfs" ino=1777
scontext=system_u:system_r:svirt_t:s0:c518,c853
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317650): avc: denied { read } for
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161
scontext=system_u:system_r:svirt_t:s0:c518,c853
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317651): avc: denied { read } for
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161
scontext=system_u:system_r:svirt_t:s0:c518,c853
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: virt_use_sysfs
2020-07-17 12:20 virt_use_sysfs Russell Coker
@ 2020-07-18 12:44 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2020-07-18 12:44 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 7/17/20 8:20 AM, Russell Coker wrote:
> Does it make sense to not have this enabled by default? Getting meminfo from
> sysfs seems like a very reasonable and useful thing for a virtualisation
> system to do. Not allowing that doesn't seem to give any benefit but does
> have potential for serious problems if things even work like that.
Perhaps the answer is to unconditionally allow reading of sysfs instead. Then
writes to sysfs would still be conditional and disabled by default.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-07-18 12:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-17 12:20 virt_use_sysfs Russell Coker
2020-07-18 12:44 ` virt_use_sysfs Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).