Does it make sense to not have this enabled by default? Getting meminfo from
sysfs seems like a very reasonable and useful thing for a virtualisation
system to do. Not allowing that doesn't seem to give any benefit but does
have potential for serious problems if things even work like that.
#!!!! This avc can be allowed using one of the these booleans:
# virt_use_sysfs, virt_use_usb
allow svirt_t sysfs_t:file read;
root@sevm:~/pol# setsebool ^C
root@sevm:~/pol# grep sysfs_t /var/log/audit/audit.log
type=AVC msg=audit(1594988146.629:317649): avc: denied { read } for
pid=430606 comm="qemu-system-x86" name="meminfo" dev="sysfs" ino=1777
scontext=system_u:system_r:svirt_t:s0:c518,c853
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317650): avc: denied { read } for
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161
scontext=system_u:system_r:svirt_t:s0:c518,c853
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1594988146.701:317651): avc: denied { read } for
pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161
scontext=system_u:system_r:svirt_t:s0:c518,c853
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 7/17/20 8:20 AM, Russell Coker wrote:
> Does it make sense to not have this enabled by default? Getting meminfo from
> sysfs seems like a very reasonable and useful thing for a virtualisation
> system to do. Not allowing that doesn't seem to give any benefit but does
> have potential for serious problems if things even work like that.
Perhaps the answer is to unconditionally allow reading of sysfs instead. Then
writes to sysfs would still be conditional and disabled by default.
--
Chris PeBenito