hi everyone
I have this:
virt_use_fusefs --> on virt_use_glusterd --> on
on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
When I tell pacemaker to start a virt guest resource with xml config off a fuse mounted gluster vol I get a denial and audit2allow sees:
allow virsh_t fusefs_t:dir search;
Should above boolean be all I (pacemaker) need or I'm missing something?
many thanks, L.
On Thu, Jun 6, 2019 at 10:30 AM lejeczek peljasz@yahoo.co.uk wrote:
hi everyone
I have this:
virt_use_fusefs --> on virt_use_glusterd --> on
on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
When I tell pacemaker to start a virt guest resource with xml config off a fuse mounted gluster vol I get a denial and audit2allow sees:
allow virsh_t fusefs_t:dir search;
Should above boolean be all I (pacemaker) need or I'm missing something?
Hm, there seems to be an inconsistency among the virt_use_*fs booleans. On current Fedora Rawhide:
$ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq virt_domain $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq fsdaemon_t svirt_sandbox_domain virsh_t virt_domain virtlogd_t
So, the "virt" in virt_use_nfs has a much wider meaning than the "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate this?
On 06/06/2019 09:43, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 10:30 AM lejeczek peljasz@yahoo.co.uk wrote:
hi everyone
I have this:
virt_use_fusefs --> on virt_use_glusterd --> on
on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
When I tell pacemaker to start a virt guest resource with xml config off a fuse mounted gluster vol I get a denial and audit2allow sees:
allow virsh_t fusefs_t:dir search;
Should above boolean be all I (pacemaker) need or I'm missing something?
Hm, there seems to be an inconsistency among the virt_use_*fs booleans. On current Fedora Rawhide:
$ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq virt_domain $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq fsdaemon_t svirt_sandbox_domain virsh_t virt_domain virtlogd_t
So, the "virt" in virt_use_nfs has a much wider meaning than the "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate this?
Not on Centos, nope - virt_use_nfs - does not help neither, although it seems to cover broadly, I still get:
$ semodule -DB
$ ausearch -ts 10:51 | audit2allow #============= automount_t ============== allow automount_t mount_t:process { noatsecure rlimitinh siginh }; #============= glusterd_t ============== allow glusterd_t automount_t:fifo_file write; #============= virsh_t ============== allow virsh_t fusefs_t:dir search;
$ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq rules: virsh_t virt_domain svirt_sandbox_domain virtd_t virsh_t fsdaemon_t virt_domain virtlogd_t virt_domain virsh_t fsdaemon_t virtd_t virt_domain svirt_sandbox_domain virtd_t fsdaemon_t virtlogd_t virtd_t svirt_sandbox_domain fsdaemon_t svirt_sandbox_domain virsh_t virt_domain
On Thu, Jun 6, 2019 at 11:54 AM lejeczek peljasz@yahoo.co.uk wrote:
On 06/06/2019 09:43, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 10:30 AM lejeczek peljasz@yahoo.co.uk wrote:
hi everyone
I have this:
virt_use_fusefs --> on virt_use_glusterd --> on
on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
When I tell pacemaker to start a virt guest resource with xml config off a fuse mounted gluster vol I get a denial and audit2allow sees:
allow virsh_t fusefs_t:dir search;
Should above boolean be all I (pacemaker) need or I'm missing something?
Hm, there seems to be an inconsistency among the virt_use_*fs booleans. On current Fedora Rawhide:
$ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq virt_domain $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq fsdaemon_t svirt_sandbox_domain virsh_t virt_domain virtlogd_t
So, the "virt" in virt_use_nfs has a much wider meaning than the "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate this?
Not on Centos, nope - virt_use_nfs - does not help neither, although it seems to cover broadly, I still get:
No, enabling virt_use_nfs won't help you (it allows virt domains to use NFS, not fusefs). I just pointed out that it covers more source domains than virt_use_fusefs. I believe this is an oversight and the virt_use_fusefs boolean should be fixed to cover the same set of source domains as virt_use_nfs. Anyway, you should open a bug against selinux-policy on RHEL/Fedora, so this is tracked and hopefully fixed (please include a link to this conversation if you do so).
$ semodule -DB
$ ausearch -ts 10:51 | audit2allow
#============= automount_t ============== allow automount_t mount_t:process { noatsecure rlimitinh siginh };
#============= glusterd_t ============== allow glusterd_t automount_t:fifo_file write;
#============= virsh_t ============== allow virsh_t fusefs_t:dir search;
$ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq rules: virsh_t virt_domain svirt_sandbox_domain virtd_t virsh_t fsdaemon_t virt_domain virtlogd_t virt_domain virsh_t fsdaemon_t virtd_t virt_domain svirt_sandbox_domain virtd_t fsdaemon_t virtlogd_t virtd_t svirt_sandbox_domain fsdaemon_t svirt_sandbox_domain virsh_t virt_domain
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On 6/10/19 11:04 AM, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 11:54 AM lejeczek peljasz@yahoo.co.uk wrote:
On 06/06/2019 09:43, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 10:30 AM lejeczek peljasz@yahoo.co.uk wrote:
hi everyone
I have this:
virt_use_fusefs --> on virt_use_glusterd --> on
on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
When I tell pacemaker to start a virt guest resource with xml config off a fuse mounted gluster vol I get a denial and audit2allow sees:
allow virsh_t fusefs_t:dir search;
Should above boolean be all I (pacemaker) need or I'm missing something?
Hm, there seems to be an inconsistency among the virt_use_*fs booleans. On current Fedora Rawhide:
$ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq virt_domain $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq fsdaemon_t svirt_sandbox_domain virsh_t virt_domain virtlogd_t
So, the "virt" in virt_use_nfs has a much wider meaning than the "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate this?
Not on Centos, nope - virt_use_nfs - does not help neither, although it seems to cover broadly, I still get:
No, enabling virt_use_nfs won't help you (it allows virt domains to use NFS, not fusefs). I just pointed out that it covers more source domains than virt_use_fusefs. I believe this is an oversight and the virt_use_fusefs boolean should be fixed to cover the same set of source domains as virt_use_nfs. Anyway, you should open a bug against selinux-policy on RHEL/Fedora, so this is tracked and hopefully fixed (please include a link to this conversation if you do so).
Agree with Ondrej here, this should be consolidated.
Could you please create bugzilla ticket?
Thanks, Lukas.
$ semodule -DB
$ ausearch -ts 10:51 | audit2allow
#============= automount_t ============== allow automount_t mount_t:process { noatsecure rlimitinh siginh };
#============= glusterd_t ============== allow glusterd_t automount_t:fifo_file write;
#============= virsh_t ============== allow virsh_t fusefs_t:dir search;
$ sesearch -A -b virt_use_nfs | cut -f 5 -d ' ' | uniq rules: virsh_t virt_domain svirt_sandbox_domain virtd_t virsh_t fsdaemon_t virt_domain virtlogd_t virt_domain virsh_t fsdaemon_t virtd_t virt_domain svirt_sandbox_domain virtd_t fsdaemon_t virtlogd_t virtd_t svirt_sandbox_domain fsdaemon_t svirt_sandbox_domain virsh_t virt_domain
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On 06/06/2019 09:43, Ondrej Mosnacek wrote:
On Thu, Jun 6, 2019 at 10:30 AM lejeczek peljasz@yahoo.co.uk wrote:
hi everyone
I have this:
virt_use_fusefs --> on virt_use_glusterd --> on
on centos 7.6 with selinux-policy-3.13.1-229.el7_6.12.noarch.
When I tell pacemaker to start a virt guest resource with xml config off a fuse mounted gluster vol I get a denial and audit2allow sees:
allow virsh_t fusefs_t:dir search;
Should above boolean be all I (pacemaker) need or I'm missing something?
Hm, there seems to be an inconsistency among the virt_use_*fs booleans. On current Fedora Rawhide:
$ sesearch -A -b virt_use_fusefs | cut -f 2 -d ' ' | uniq virt_domain $ sesearch -A -b virt_use_nfs | cut -f 2 -d ' ' | uniq fsdaemon_t svirt_sandbox_domain virsh_t virt_domain virtlogd_t
So, the "virt" in virt_use_nfs has a much wider meaning than the "virt" in virt_use_fusefs... @Zdenek/Lukas, should we consolidate this?
Even if I choose more "friendly" location for xml config, eg.: /var/lib/pacemaker/HA-work9-win10.xml
I still need this:
---
require { type cluster_var_lib_t; type virsh_t; type numad_t; type virtd_lxc_t; class msgq { write }; class msg { send }; class dir search; class file { read open }; } #============= virsh_t ============== allow virsh_t cluster_var_lib_t:dir search; allow virsh_t cluster_var_lib_t:file read; allow virsh_t cluster_var_lib_t:file open; vir #============= numad_t ============== allow numad_t virtd_lxc_t:msgq write; allow numad_t virtd_lxc_t:msg send; ---
for pacemaker to be able to start, and that I'm not sure is complete.
It would be great have a boolean(s) which would make it all work - pacemaker manage virt domains.
many thanks, L.
selinux@lists.fedoraproject.org
-
lejeczek -
Lukas Vrabec -
Ondrej Mosnacek