Skip to content

Commit

Permalink
Allow virtqemud directly read and write to a fixed disk
Browse files Browse the repository at this point in the history 
The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(10/02/2024 02:45:53.305:559) : proctitle=/usr/sbin/virtqemud --timeout 120
type=PATH msg=audit(10/02/2024 02:45:53.305:559) : item=1 name=/dev/sda inode=6 dev=00:28 mode=block,640 ouid=root ogid=root rdev=08:00 obj=system_u:object_r:tmpfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/02/2024 02:45:53.305:559) : item=0 name=/dev/ inode=1 dev=00:28 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(10/02/2024 02:45:53.305:559) : arch=x86_64 syscall=mknodat success=yes exit=0 a0=AT_FDCWD a1=0x7f0f7c0b4710 a2=0660 a3=0x800 items=2 ppid=6153 pid=6377 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(10/02/2024 02:45:53.305:559) : avc:  denied  { create } for  pid=6377 comm=rpc-virtqemud name=sda scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1

Resolves: RHEL-61235
  • Loading branch information
@zpytela
zpytela committed Dec 10, 2024
1 parent d8e698e commit a7cd758
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions policy/modules/contrib/virt.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2246,6 +2246,8 @@ init_stream_connect_script(virtqemud_t)

selinux_compute_create_context(virtqemud_t)

storage_rw_inherited_fixed_disk_dev(virtqemud_t)

sysnet_exec_ifconfig(virtqemud_t)
sysnet_manage_config(virtqemud_t)

Expand Down

0 comments on commit a7cd758

Please sign in to comment.