From a7cd758e4a22ee03ad3542f9e44f98e0afd1bb8e Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 10 Dec 2024 22:42:30 +0100 Subject: [PATCH] Allow virtqemud directly read and write to a fixed disk The commit addresses the following AVC denial example: type=PROCTITLE msg=audit(10/02/2024 02:45:53.305:559) : proctitle=/usr/sbin/virtqemud --timeout 120 type=PATH msg=audit(10/02/2024 02:45:53.305:559) : item=1 name=/dev/sda inode=6 dev=00:28 mode=block,640 ouid=root ogid=root rdev=08:00 obj=system_u:object_r:tmpfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(10/02/2024 02:45:53.305:559) : item=0 name=/dev/ inode=1 dev=00:28 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(10/02/2024 02:45:53.305:559) : arch=x86_64 syscall=mknodat success=yes exit=0 a0=AT_FDCWD a1=0x7f0f7c0b4710 a2=0660 a3=0x800 items=2 ppid=6153 pid=6377 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(10/02/2024 02:45:53.305:559) : avc: denied { create } for pid=6377 comm=rpc-virtqemud name=sda scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=blk_file permissive=1 Resolves: RHEL-61235 --- policy/modules/contrib/virt.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 4fafac8340..dd9f50111e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2246,6 +2246,8 @@ init_stream_connect_script(virtqemud_t) selinux_compute_create_context(virtqemud_t) +storage_rw_inherited_fixed_disk_dev(virtqemud_t) + sysnet_exec_ifconfig(virtqemud_t) sysnet_manage_config(virtqemud_t)