[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] I have no idea why the current version of libvirt works for anyone in enforcing mode.



On Fri, Mar 13, 2009 at 09:44:15AM -0400, Daniel J Walsh wrote:
> On 03/13/2009 06:19 AM, Daniel P. Berrange wrote:
> >On Thu, Mar 12, 2009 at 01:39:13PM -0400, Daniel J Walsh wrote:
> >>Libvirt is executing qemu requiring it to execute pulseaudio which would
> >>require the folowing permissions,
> >>
> >>#============= svirt_t ==============
> >>allow svirt_t admin_home_t:dir setattr;
> >>allow svirt_t admin_home_t:file { read write };
> >>allow svirt_t pulseaudio_port_t:tcp_socket name_connect;
> >>allow svirt_t svirt_tmpfs_t:file read;
> >>allow svirt_t user_tmpfs_t:file read;
> >>
> >>Since qemu(svirt_t) is not allowed these permissions, pulseaudio crashes
> >>and qemu dies.
> >
> >I don't see it crashing - when I run with a guest with a sound device
> >attached, I see the AVC denials, and QEMU just carries on without a
> >active sound backend AFAICT.
> >
> >>I believe you need to run without sound if you are running as root.
> >
> >We can't disable sound unconditonally for root, because not everyone
> >will be using SELinux so its still valid to allow sound cards. I think
> >the focus has to be on stopping QEMU from crashing. It might actually
> >be an SDL bug, rather than a QEMU bug, because I believe its SDL that
> >is responsible for opening the sound devices.
> >
> >Daniel
> How about if we check if you are running with svirt then don't execute 
> the code.  Since I do not want to deal with these avc messages.  Either 
> they will happen always and I have to dontaudit them in which case a 
> compromised svirt attacking the /root directory would be dontaudited, or 
> people are going to see avc's all the time.

For that scenario I think it'd be better to make virt-manager prevent
addition of sound hardware, since its in a position to give feedback
to the user telling them why sound devices aren't allowed.


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]