[Ovirt-devel] [PATCH node] ovirt-node-selinux policy: bind-mount all files
Alan Pevec
apevec at redhat.com
Tue Dec 16 23:02:42 UTC 2008
default policy doesn't allow file types in security_file_type attribute
to be mounted, e.g. shadow_t for /etc/shadow:
allow $1 { file_type -security_file_type }:file mounton;
This blocks file bind-mounts from /config partition for config files in
that set.
By allowing all file mounts, security risk is not really increased,
for example /etc/shadow could be bypassed anyway by mounting /etc/passwd.
---
ovirt-node-selinux.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/ovirt-node-selinux.te b/ovirt-node-selinux.te
index a53d3de..327c231 100644
--- a/ovirt-node-selinux.te
+++ b/ovirt-node-selinux.te
@@ -1,8 +1,14 @@
module ovirt 1.0.0;
require {
type fixed_disk_device_t;
+ attribute file_type;
+ type mount_t;
type qemu_t;
class blk_file { ioctl getattr setattr read write };
+ class file mounton;
}
# Give qemu_t access to any block device
allow qemu_t fixed_disk_device_t:blk_file { ioctl getattr setattr read write };
+# allow any file to be bindmounted (for /config)
+allow mount_t file_type:file mounton;
+
--
1.6.0.4
More information about the ovirt-devel
mailing list