xen, selinux, FC5
Robin Bowes
robin-lists at robinbowes.com
Fri Oct 13 16:25:03 UTC 2006
Stephen Smalley wrote:
> On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
>> Stephen Smalley wrote:
>>> The assertion is to prevent accidental granting of read access to a
>>> raw disk device. Is that truly required here?
>> Probably - the root disk of the guest O/S instance is an lvm partition,
>> e.g. /dev/vg01/lv_guest
>>
>>> To allow it, you need to use the interface for it, e.g.
>>> storage_raw_read_fixed_disk(xm_t) That interface is defined in
>>> kernel/storage.if. In addition to allowing the permission, it adds a
>>> type attribute to the type that excludes from the assertion.
>> So, what would that look like in the policy file?
>
> If you build using the devel makefile (e.g. make
> -f /usr/share/selinux/devel/Makefile or copy it over to where you are
> working on your module), then you can use the interface as I described,
> i.e. just put
> storage_raw_read_fixed_disk(xm_t)
> in your .te file.
>
> That Makefile will pull in the headers and expand it properly.
> Should handle the checkmodule and semodule_package side of things,
> leaving you with just running semodule -i to install it once built.
I'm actually doing this:
Use audit2allow to identify AVC denied msgs:
audit2allow -M local -l -i /var/log/audit/audit.log
Copy the contents of the local.te file produced by the command to xen.te
Compile and install the policy like this:
export SEAPP=xen
checkmodule -M -m -o ${SEAPP}.mod ${SEAPP}.te
semodule_package -o ${SEAPP}.pp -m ${SEAPP}.mod
semodule -i ${SEAPP}.pp
Will "storage_raw_read_fixed_disk(xm_t)" fit into the class/type/role
format used in the .te files? Or do I need to do something different?
Thanks for your help with this.
R.
More information about the fedora-selinux-list
mailing list