[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] QEMU fstatfs(2) and libvirt SELinux policy
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] QEMU fstatfs(2) and libvirt SELinux policy |
Date: |
Fri, 9 Mar 2012 15:19:56 +0000 |
On Fri, Mar 9, 2012 at 3:11 PM, Laine Stump <address@hidden> wrote:
> On 03/09/2012 09:16 AM, Jiri Denemark wrote:
>> Hi.
>>
>> On Fri, Mar 09, 2012 at 11:32:47 +0000, Stefan Hajnoczi wrote:
>> ...
>>> static __inline__ int platform_test_xfs_fd(int fd)
>>> {
>>> struct statfs buf;
>>> if (fstatfs(fd, &buf) < 0)
>>> return 0;
>>> return (buf.f_type == 0x58465342); /* XFSB */
>>> }
>>>
>>> In other words, XFS detection will fail when SELinux is enabled.
>>>
>>> I'm not familiar with libvirt's use of SELinux. Can someone explain
>>> if we need to expand the policy in libvirt and how to do that?
>> Actually, there is no SELinux policy in libvirt. Libvirt merely uses an
>> appropriate security context when running qemu processes. The rules what such
>> processes can do and what they are forbidden to do are described in SELinux
>> policy which is provided as a separate package (or packages on some distros).
>> So it's this policy (selinux-policy package on Fedora based distros) which
>> would need to be expanded. Thus it should be negotiated with SELinux policy
>> maintainers if they are willing to allow svirt_t domain calling fstatfs.
>
> (Also, since the problem occurs on NFS, this may need to be somehow
> related to virt_use_nfs being turned on.)
No, this XFS situation is independent of NFS. It's another codepath
in QEMU where fstatfs(2) is called, I found it this morning.
Stefan
Re: [Qemu-devel] QEMU fstatfs(2) and libvirt SELinux policy, George Wilson, 2012/03/09
Re: [Qemu-devel] QEMU fstatfs(2) and libvirt SELinux policy, Daniel P. Berrange, 2012/03/09