Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1933638ybh; Fri, 17 Jul 2020 05:22:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKk9KRJkah2cSkmOVN/wQEfGQV2DAfVMC64UEN8XJlKCincGNCR2kV9AIMk/YUxTnIvdv1 X-Received: by 2002:a17:906:e299:: with SMTP id gg25mr8137430ejb.160.1594988565390; Fri, 17 Jul 2020 05:22:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594988565; cv=none; d=google.com; s=arc-20160816; b=bdtIITdPTQzbuFFP6ohO2icKFuPqAG7hKBnIHptWWdPlR4Z1DjpkveGTHVrgvg6mTX F1NyF91ddU1p2vAyA0uXaj+pUu6qqtEibipdBcrmpDmNhyZt699o6P7sdnxkWm48d9Ed 7BHTs03OnfyVS5feQkzh6hw4kJe0IJIFaOtEBOQ0Cnt5Vv4uNYEmBGmcgDe5ewjYGhwV a5lBgpaNyed/5hJEHDHd/H9ayNKG7yi3cGsU1fDGv2vh4Le5zVD9/Gfx8XRZlmv3iAlB O58vkW0WIRwB3OOp/rvwI0+10lfftdaNgBxd59UH3RhI88R9Y4QHcKGB/rLQEfgvBIg7 z9yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=LVcT/YW99lZynHaur3HGZtLsdey06cAbr8KXfauKYgA=; b=oGzartk5V1pgiEWuATUTt3YmS5scN3tpI/Rk/lFbZnPefSnSb9wbskdDaM3rUxs/BI U2dw9dabG0vmVpNA3qPVxRoCZCpfwmR1ANxMm1jXy1M786hHzb7X+cCEU5zyndq6p+bw YnBJO9vJSRFhmVNAks0jSjVTD+H9GffdUIwT6k3uYUfTVg0n4s7qN6uPlF1lunWfPz9f pDh0ARPfLpR7KpUZtICZRIRPewC84ZAptZfX55akNFPaTnQ/1STCQ1CEPQ+POu9dgHme h7NpgxpMVqLUmxg0UaTvCeSJHCQAMtlWmbGAzfQtTkcU44s1xnz8PXrQjCT332K14stw MOqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=DppfcNSj; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id co28si5060286edb.540.2020.07.17.05.22.38; Fri, 17 Jul 2020 05:22:45 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=DppfcNSj; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726525AbgGQMUl (ORCPT + 15 others); Fri, 17 Jul 2020 08:20:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52364 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726104AbgGQMUl (ORCPT ); Fri, 17 Jul 2020 08:20:41 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D3B7EC061755 for ; Fri, 17 Jul 2020 05:20:40 -0700 (PDT) Received: from liv.localnet (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 39B4B13D2B for ; Fri, 17 Jul 2020 22:20:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1594988437; bh=LVcT/YW99lZynHaur3HGZtLsdey06cAbr8KXfauKYgA=; l=1381; h=From:To:Subject:Date:From; b=DppfcNSjdAzoTZVagisVB8dlWWBHR0vEzeeX9F+IuVork8HFk5lMLJKYCZThPgS4S gnj/QjKoS6jE6Fd85NczlBQlgcjP2NIU6KpomDi7CqIShEC1Yz0RO9kalauv5TKWzW AZmiMOm902cPazyal66CXj8pGPYq8TnTU+99PCTg= From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: virt_use_sysfs Date: Fri, 17 Jul 2020 22:20:32 +1000 Message-ID: <2061951.59CCVTTc8E@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Does it make sense to not have this enabled by default? Getting meminfo from sysfs seems like a very reasonable and useful thing for a virtualisation system to do. Not allowing that doesn't seem to give any benefit but does have potential for serious problems if things even work like that. #!!!! This avc can be allowed using one of the these booleans: # virt_use_sysfs, virt_use_usb allow svirt_t sysfs_t:file read; root@sevm:~/pol# setsebool ^C root@sevm:~/pol# grep sysfs_t /var/log/audit/audit.log type=AVC msg=audit(1594988146.629:317649): avc: denied { read } for pid=430606 comm="qemu-system-x86" name="meminfo" dev="sysfs" ino=1777 scontext=system_u:system_r:svirt_t:s0:c518,c853 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=AVC msg=audit(1594988146.701:317650): avc: denied { read } for pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 scontext=system_u:system_r:svirt_t:s0:c518,c853 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 type=AVC msg=audit(1594988146.701:317651): avc: denied { read } for pid=430606 comm="qemu-system-x86" name="max_mem_regions" dev="sysfs" ino=28161 scontext=system_u:system_r:svirt_t:s0:c518,c853 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/