From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 23 Apr 2012 08:28:08 -0400 Subject: [refpolicy] [PATCH 5/6] Adding dontaudit for qemu In-Reply-To: References: <20120322200229.GA3387@siphos.be> <20120322200931.GF3387@siphos.be> <4F91C329.1000909@tresys.com> Message-ID: <4F954AD8.1050104@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/21/12 12:12, Sven Vermeulen wrote: > On Fri, Apr 20, 2012 at 10:12 PM, Christopher J. PeBenito > wrote: >>> +dontaudit qemu_t self:socket create; >> >> I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class. > > Ok, trying to figure that out now. No luck with just querying though: > > Apr 21 17:53:04 hpl kernel: [90637.251881] type=1400 > audit(1335023584.573:457): avc: granted { create } for pid=28083 > comm="qemu-system-x86" scontext=staff_u:sysadm_r:qemu_t > tcontext=staff_u:sysadm_r:qemu_t tclass=socket > > Doesn't give much. An lsof shows: > > # lsof -p 28083 > qemu-syst 28083 swift 8u unix 0x0000000000000000 0t0 > 80203 socket > qemu-syst 28083 swift 9u unix 0x0000000000000000 0t0 > 80204 /tmp/vde.28083-00003 > > but I don't know how to find out more about this socket. It is related > to qemu's VDE networking virtualization (if I drop the "-net > vde,vlan=0" I don't get the attempt to create a socket) but doesn't > seem to be necessary. > > /tmp/vde.28083-00003 is of type vde_tmp_t (cfr. patch/RFC regarding > VDE support sent a while ago) > > If anyone know of a good resource that I can read on debugging > sockets, I'd love to hear about it. The audit subsystem's messages might be more useful. The last time something like this came around, I ended up looking at the code itself. It shouldn't be too bad to grep through the code for socket() calls and see what the socket domain/type is. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com