All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel J Walsh <dwalsh@redhat.com>
To: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul.moore@hp.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	"Daniel P. Berrange" <berrange@redhat.com>,
	SELinux <selinux@tycho.nsa.gov>,
	Chad Hanson <chanson@TrustedCS.com>
Subject: Re: svirt on MLS has strange AVC.
Date: Tue, 30 Mar 2010 14:23:33 -0400	[thread overview]
Message-ID: <4BB241A5.7090105@redhat.com> (raw)
In-Reply-To: <1269973226.2941.11.camel@dhcp235-240.rdu.redhat.com>

On 03/30/2010 02:20 PM, Eric Paris wrote:
> On Tue, 2010-03-30 at 14:07 -0400, Paul Moore wrote:
>    
>> On Tuesday 30 March 2010 10:45:33 am Daniel J Walsh wrote:
>>      
>>> Paul you are suggesting that I write a MLS rule that says
>>>
>>> svirt_t:ANYLEVEL can talk to svirt_t:ANYLEVEL over unix domain sockets.
>>>
>>> Which would allow
>>>
>>> svirt_t:s0 to talk to svirt_t:s1  Which seems very broken to me.
>>>        
>> Well, based on the domains that were reported earlier in the thread ...
>>
>>      
>>> # ps -eZ | grep virt
>>> system_u:system_r:virtd_t:s0-s15:c0.c1023 27344 ? 05:34:47 libvirtd
>>> system_u:system_r:svirt_t:s0:c1 28549 ?        00:00:01 qemu-kvm
>>>        
>> ... I think you just need to write policy that allows "virtd_t:ANYLEVEL" and
>> "svirtd_t:ANYLEVEL" to communicate; you shouldn't need to allow
>> "svirt_t:ANYLEVEL" to communicate with "svirt_t" since only qemu-kvm is
>> running as "svirt_t" and you are trying to get qemu-kvm and libvirtd to talk.
>>      
> The QEMU/KVM "server child socket" gets labeled svirt_t:s0-s15:c0-c1023
> (type of svirt_t and level of the peer, libvirtd_t)   So svirt_t needs
> to talk to svirt_t.  That's the whole issue.....
>
> -Eric
>
>    
Yes letting svirt_t:level1 talk to libvirt_t:RangecontinaingLevel1 is easy

allowing svirt_t:level1 talk to svirt_t:RangecontainingLevel1 is the problem
Since I end up allowing all svirt_t to talk to all svirt_t, No MLS 
controls at all.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  reply	other threads:[~2010-03-30 18:23 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-22 21:44 svirt on MLS has strange AVC Daniel J Walsh
2010-03-22 23:47 ` Eric Paris
2010-03-23 11:35   ` Daniel J Walsh
2010-03-23 11:44     ` Daniel P. Berrange
2010-03-25  2:42       ` Eric Paris
2010-03-25  9:45         ` Daniel P. Berrange
2010-03-25 14:02         ` Stephen Smalley
2010-03-25 16:49           ` Paul Moore
2010-03-25 18:00             ` Daniel J Walsh
2010-03-25 18:17               ` Stephen Smalley
2010-03-25 19:02                 ` Eric Paris
2010-03-25 22:06                   ` Paul Moore
2010-03-25 22:09                     ` Daniel P. Berrange
     [not found]                     ` <1269612002.2980.69.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:54                       ` Paul Moore
2010-03-29 17:06                     ` Eric Paris
2010-03-25 18:06             ` Stephen Smalley
2010-03-25 18:11               ` Daniel J Walsh
2010-03-25 18:19                 ` Stephen Smalley
2010-03-25 18:23                 ` Eric Paris
2010-03-25 18:34                   ` Stephen Smalley
2010-03-25 18:45                     ` Eric Paris
2010-03-25 21:36                       ` Paul Moore
     [not found]                         ` <1269610923.2980.51.camel@dhcp231-113.rdu.redhat.com>
2010-03-26 19:47                           ` Paul Moore
2010-03-29 18:29                             ` Eric Paris
2010-03-29 17:05                         ` Eric Paris
2010-03-25 18:29                 ` Eric Paris
     [not found] ` <201003291600.06024.paul.moore@hp.com>
     [not found]   ` <4BB20E8D.7030207@redhat.com>
2010-03-30 18:07     ` Paul Moore
2010-03-30 18:20       ` Eric Paris
2010-03-30 18:23         ` Daniel J Walsh [this message]
2010-03-30 18:39           ` Paul Moore
2010-03-30 18:56             ` Paul Moore
2010-03-30 19:13               ` Daniel J Walsh
2010-03-30 19:22                 ` Paul Moore
2010-03-30 19:31                   ` Daniel J Walsh
2010-03-30 19:38                     ` Stephen Smalley
     [not found]   ` <1269959533.2941.9.camel@dhcp235-240.rdu.redhat.com>
2010-03-30 18:23     ` Paul Moore
2010-03-30 19:20   ` Stephen Smalley
2010-03-30 20:17     ` Eric Paris
2010-03-30 20:23       ` Stephen Smalley
2010-03-30 20:30       ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BB241A5.7090105@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=berrange@redhat.com \
    --cc=chanson@TrustedCS.com \
    --cc=eparis@redhat.com \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.