From: "Daniel P. Berrange" <berrange@redhat.com>
To: Paul Moore <paul.moore@hp.com>
Cc: Eric Paris <eparis@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
SELinux <selinux@tycho.nsa.gov>
Subject: Re: svirt on MLS has strange AVC.
Date: Thu, 25 Mar 2010 22:09:38 +0000 [thread overview]
Message-ID: <20100325220938.GB30421@redhat.com> (raw)
In-Reply-To: <201003251806.13943.paul.moore@hp.com>
On Thu, Mar 25, 2010 at 06:06:13PM -0400, Paul Moore wrote:
> On Thursday 25 March 2010 03:02:10 pm Eric Paris wrote:
> > On Thu, 2010-03-25 at 14:17 -0400, Stephen Smalley wrote:
> > > It seems to me that it really should only get the low/current level of
> > > the peer, not the full range, e.g. mls_context_cpy_low(), so that we
> > > don't turn a connection from a ranged subject into a fully ranged
> > > socket?
>
> This is an interesting question, and you could ask the same of INET
> connections where you have a ranged client peer label available. I guess my
> question is considering that the UNIX socket MLS constraints seem to follow
> the rest of the MLS constraint conventions (the low half of the range is used
> as the effective sensitivity label and the high half of the range is used as
> the cleared sensitivity label) what do you loose with the current
> implementation? I haven't thought about it enough to have an opinion yet ...
>
> > Is that even the best, by itself? We would still be in the same
> > situation except now we would have a random virtual machine
> >
> > svirt_t:s3:c156
> >
> > trying to read/write to a socket with the label:
> >
> > svirt_t:s0:c0
> >
> > since libvirtd_t is going to pretty much always be running:
> >
> > libvirtd_t:s0-s15:c0-1023
>
> I thought QEMU/KVM was creating the socket and libvirtd was trying to connect
> to it? If this is the case wouldn't it be a random virtual machine ...
That is correct, this is the monitor socket created by QEMU, which
libvirtd then connects to
>
> svirt_t:s3:c156
>
> ... and a not-so-random libvirtd ...
>
> libvirtd_t:s0-s15:c0-c1023
>
> ... trying to talk over a UNIX socket which is labeled svirt_t:s0 (on the
> QEMU/KVM side) and libvirtd_t:s0-s15:c0-c1023 (on the libvirtd side)? I
> agree, that could be a little wierd on the QEMU/KVM side, but if we use the
> full MLS range for the child socket we end up with svirt:s0-s15:c0-c1023 on
> the QEMU/KVM side and libvirtd_t:s0-s15:c0-c1023 on the libvirtd side; you'll
> probably still need some MLS overrides on the QEMU/KVM side but you could at
> least do something using the range.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-03-25 22:09 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-22 21:44 svirt on MLS has strange AVC Daniel J Walsh
2010-03-22 23:47 ` Eric Paris
2010-03-23 11:35 ` Daniel J Walsh
2010-03-23 11:44 ` Daniel P. Berrange
2010-03-25 2:42 ` Eric Paris
2010-03-25 9:45 ` Daniel P. Berrange
2010-03-25 14:02 ` Stephen Smalley
2010-03-25 16:49 ` Paul Moore
2010-03-25 18:00 ` Daniel J Walsh
2010-03-25 18:17 ` Stephen Smalley
2010-03-25 19:02 ` Eric Paris
2010-03-25 22:06 ` Paul Moore
2010-03-25 22:09 ` Daniel P. Berrange [this message]
[not found] ` <1269612002.2980.69.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:54 ` Paul Moore
2010-03-29 17:06 ` Eric Paris
2010-03-25 18:06 ` Stephen Smalley
2010-03-25 18:11 ` Daniel J Walsh
2010-03-25 18:19 ` Stephen Smalley
2010-03-25 18:23 ` Eric Paris
2010-03-25 18:34 ` Stephen Smalley
2010-03-25 18:45 ` Eric Paris
2010-03-25 21:36 ` Paul Moore
[not found] ` <1269610923.2980.51.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:47 ` Paul Moore
2010-03-29 18:29 ` Eric Paris
2010-03-29 17:05 ` Eric Paris
2010-03-25 18:29 ` Eric Paris
[not found] ` <201003291600.06024.paul.moore@hp.com>
[not found] ` <4BB20E8D.7030207@redhat.com>
2010-03-30 18:07 ` Paul Moore
2010-03-30 18:20 ` Eric Paris
2010-03-30 18:23 ` Daniel J Walsh
2010-03-30 18:39 ` Paul Moore
2010-03-30 18:56 ` Paul Moore
2010-03-30 19:13 ` Daniel J Walsh
2010-03-30 19:22 ` Paul Moore
2010-03-30 19:31 ` Daniel J Walsh
2010-03-30 19:38 ` Stephen Smalley
[not found] ` <1269959533.2941.9.camel@dhcp235-240.rdu.redhat.com>
2010-03-30 18:23 ` Paul Moore
2010-03-30 19:20 ` Stephen Smalley
2010-03-30 20:17 ` Eric Paris
2010-03-30 20:23 ` Stephen Smalley
2010-03-30 20:30 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100325220938.GB30421@redhat.com \
--to=berrange@redhat.com \
--cc=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.