SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* virt_use_sysfs
@ 2020-07-17 12:20 Russell Coker
  2020-07-18 12:44 ` virt_use_sysfs Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2020-07-17 12:20 UTC (permalink / raw)
  To: selinux-refpolicy

Does it make sense to not have this enabled by default?  Getting meminfo from 
sysfs seems like a very reasonable and useful thing for a virtualisation 
system to do.  Not allowing that doesn't seem to give any benefit but does 
have potential for serious problems if things even work like that.

#!!!! This avc can be allowed using one of the these booleans:
#     virt_use_sysfs, virt_use_usb
allow svirt_t sysfs_t:file read;
root@sevm:~/pol# setsebool ^C
root@sevm:~/pol# grep sysfs_t /var/log/audit/audit.log
type=AVC msg=audit(1594988146.629:317649): avc:  denied  { read } for  
pid=430606 comm="qemu-system-x86" name="meminfo" dev="sysfs" ino=1777 
scontext=system_u:system_r:svirt_t:s0:c518,c853 
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317650): avc:  denied  { read } for  
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 
scontext=system_u:system_r:svirt_t:s0:c518,c853 
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317651): avc:  denied  { read } for  
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 
scontext=system_u:system_r:svirt_t:s0:c518,c853 
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: virt_use_sysfs
  2020-07-17 12:20 virt_use_sysfs Russell Coker
@ 2020-07-18 12:44 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2020-07-18 12:44 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 7/17/20 8:20 AM, Russell Coker wrote:
> Does it make sense to not have this enabled by default?  Getting meminfo from
> sysfs seems like a very reasonable and useful thing for a virtualisation
> system to do.  Not allowing that doesn't seem to give any benefit but does
> have potential for serious problems if things even work like that.

Perhaps the answer is to unconditionally allow reading of sysfs instead.  Then 
writes to sysfs would still be conditional and disabled by default.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-17 12:20 virt_use_sysfs Russell Coker
2020-07-18 12:44 ` virt_use_sysfs Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git