[Libvirt-cim] SELinux support in libvirt-cim
Eduardo Lima (Etrunko)
eblima at linux.vnet.ibm.com
Fri Feb 17 13:53:45 UTC 2012
On 02/16/2012 02:36 PM, Sharad Mishra wrote:
>>
>> Hi,
>>
>> In order to add support for selinux in libvirt-cim. I created the
>> following policy -
>>
>>
>> ***********************************************
>> module mypolicy 1.0;
>>
>> require {
>> type pegasus_var_run_t;
>> type pegasus_t;
>> class sock_file write;
>> class unix_stream_socket connectto;
>> }
>>
>> #============= pegasus_t ==============
>> allow pegasus_t pegasus_var_run_t:sock_file write;
>> allow pegasus_t self:unix_stream_socket connectto;
>>
>> *****************************************
>>
>> To create this policy -
>>
>> 1. Turn on selinux in permissive mode
>>
>> # sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: enforcing
>> Policy version: 24
>> Policy from config file: targeted
>>
>> 2. Verified that /var/log/audit/audit.log was empty
>>
>> 3. Ran entire cimtest suite
>>
>> 4. ran 'audit2allow -M newpolicy < /var/log/audit/audit.log
>>
>> I am not familiar with selinux. Is this the right approach? Did I miss
>> anything?
>>
Hi Sharad,
SELinux is indeed something I don't know even how to get it wrong.
Sorry. Maybe others can help.
Best regards, Eduardo
--
Eduardo de Barros Lima
Software Engineer, Open Virtualization
Linux Technology Center - IBM/Brazil
eblima at br.ibm.com
More information about the Libvirt-cim
mailing list