From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7F92C433E2 for ; Fri, 17 Jul 2020 12:20:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 90CC920684 for ; Fri, 17 Jul 2020 12:20:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="DppfcNSj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726525AbgGQMUl (ORCPT ); Fri, 17 Jul 2020 08:20:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726104AbgGQMUl (ORCPT ); Fri, 17 Jul 2020 08:20:41 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3B7EC061755 for ; Fri, 17 Jul 2020 05:20:40 -0700 (PDT) Received: from liv.localnet (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 39B4B13D2B for ; Fri, 17 Jul 2020 22:20:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1594988437; bh=LVcT/YW99lZynHaur3HGZtLsdey06cAbr8KXfauKYgA=; l=1381; h=From:To:Subject:Date:From; b=DppfcNSjdAzoTZVagisVB8dlWWBHR0vEzeeX9F+IuVork8HFk5lMLJKYCZThPgS4S gnj/QjKoS6jE6Fd85NczlBQlgcjP2NIU6KpomDi7CqIShEC1Yz0RO9kalauv5TKWzW AZmiMOm902cPazyal66CXj8pGPYq8TnTU+99PCTg= From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: virt_use_sysfs Date: Fri, 17 Jul 2020 22:20:32 +1000 Message-ID: <2061951.59CCVTTc8E@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Does it make sense to not have this enabled by default? Getting meminfo from sysfs seems like a very reasonable and useful thing for a virtualisation system to do. Not allowing that doesn't seem to give any benefit but does have potential for serious problems if things even work like that. #!!!! This avc can be allowed using one of the these booleans: # virt_use_sysfs, virt_use_usb allow svirt_t sysfs_t:file read; root@sevm:~/pol# setsebool ^C root@sevm:~/pol# grep sysfs_t /var/log/audit/audit.log type=AVC msg=audit(1594988146.629:317649): avc: denied { read } for pid=430606 comm="qemu-system-x86" name="meminfo" dev="sysfs" ino=1777 scontext=system_u:system_r:svirt_t:s0:c518,c853 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=AVC msg=audit(1594988146.701:317650): avc: denied { read } for pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 scontext=system_u:system_r:svirt_t:s0:c518,c853 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=AVC msg=audit(1594988146.701:317651): avc: denied { read } for pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 scontext=system_u:system_r:svirt_t:s0:c518,c853 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/