[Virtio-fs] What did I miss / SELinux avcs needed for virtiofs root.

Harry G. Coin hgcoin at gmail.com
Fri Dec 18 17:06:31 UTC 2020 

Below is the roster of avc / SELinux corrections needed to have a
virtiofs root on Fedora 33.  There has got to be an easier way.  Any ideas?

I installed Fedora workstation 33 to a qcow2 file.  Then in the VM
mounted an empty virtiofs backed by xattr enabled host in tmp, did a  cp
-a /, /home and /boot to the virtio fs, added files to dracut to build
an initramfs that permitted root mounting on the default kernel, and a
script to generate a link to the latest kernel with an unchanging name
in /boot for easy direct kernel booting in the vm.  then I booted and
rebooted each time doing 'audit2allow -a -M fileX;semodule -i
fileX.pp;reboot' until there were no new avcs recorded in the boot process.

Initially I had to add init=/bin/bash to the command line there were so
many avc's the system wouldn't boot.   The following are enough to get
to a console prompt in a GUI log in without throwing further AVC's. 
Obviously it's the 'unlabeled-t' that's at issue.  This is with the

(fsuse xattr virtiofs (system_u object_r fs_t ((s0) (s0))))

in place.  Did I miss a mount option?  This shouldn't have been so hard,
I feel like I must have missed something.  What?

----


#============= NetworkManager_t ==============

allow NetworkManager_t unlabeled_t:file { map rename unlink write };

allow NetworkManager_t unlabeled_t:lnk_file read;

allow NetworkManager_t unlabeled_t:sock_file write;

#============= abrt_dump_oops_t ==============

allow abrt_dump_oops_t unlabeled_t:sock_file write;

#============= abrt_t ==============

allow abrt_t unlabeled_t:dir { add_name read remove_name write };

allow abrt_t unlabeled_t:file { create map open read };

allow abrt_t unlabeled_t:lnk_file create;

allow abrt_t unlabeled_t:sock_file write;

#============= accountsd_t ==============

allow accountsd_t unlabeled_t:file { getattr map open read rename
setattr unlink write };

allow accountsd_t unlabeled_t:sock_file write;

#============= alsa_t ==============

allow alsa_t unlabeled_t:file { getattr map open read rename unlink write };

#============= auditd_t ==============

allow auditd_t unlabeled_t:file { getattr map open read };

allow auditd_t unlabeled_t:sock_file write;

#============= avahi_t ==============

allow avahi_t unlabeled_t:file { getattr map open read };

allow avahi_t unlabeled_t:sock_file write;

#============= chkpwd_t ==============

allow chkpwd_t unlabeled_t:file { getattr map open read };

allow chkpwd_t unlabeled_t:sock_file write;

#============= chronyc_t ==============

allow chronyc_t unlabeled_t:file map;

#============= chronyd_t ==============

allow chronyd_t initrc_var_run_t:file read;

allow chronyd_t unlabeled_t:file { getattr map open read rename unlink
write };

allow chronyd_t unlabeled_t:lnk_file read;

allow chronyd_t unlabeled_t:sock_file write;

#============= colord_t ==============

allow colord_t unlabeled_t:file { getattr map open read };

allow colord_t unlabeled_t:sock_file write;

#============= cupsd_t ==============

allow cupsd_t unlabeled_t:file { getattr map open read rename setattr
unlink write };

allow cupsd_t unlabeled_t:lnk_file read;

allow cupsd_t unlabeled_t:sock_file write;

#============= firewalld_t ==============

allow firewalld_t unlabeled_t:file { getattr map open read };

allow firewalld_t unlabeled_t:sock_file write;

#============= fprintd_t ==============

allow fprintd_t unlabeled_t:file { getattr map open read };

#============= geoclue_t ==============

allow geoclue_t unlabeled_t:file { getattr map open read };

allow geoclue_t unlabeled_t:lnk_file read;

#============= getty_t ==============

allow getty_t unlabeled_t:file read;

allow getty_t unlabeled_t:sock_file write;

#============= gssproxy_t ==============

allow gssproxy_t unlabeled_t:file { getattr map open read };

allow gssproxy_t unlabeled_t:lnk_file read;

allow gssproxy_t unlabeled_t:sock_file unlink;

#============= init_t ==============

allow init_t unlabeled_t:dir { add_name remove_name rmdir };

allow init_t unlabeled_t:file { map rename setattr unlink write };

allow init_t unlabeled_t:sock_file write;

#============= iptables_t ==============

allow iptables_t unlabeled_t:file { getattr map open read };

#============= iscsid_t ==============

allow iscsid_t unlabeled_t:file { getattr map open read };

#============= kernel_t ==============

allow kernel_t unconfined_t:process transition;

#============= local_login_t ==============

allow local_login_t unlabeled_t:file read;

allow local_login_t unlabeled_t:sock_file write;

#============= logrotate_t ==============

allow logrotate_t unlabeled_t:file { open read write };

allow logrotate_t unlabeled_t:sock_file write;

#============= mandb_t ==============

allow mandb_t unlabeled_t:file { open read unlink write };

#============= mcelog_t ==============

allow mcelog_t unlabeled_t:file { getattr map open read };

allow mcelog_t unlabeled_t:sock_file write;

#============= modemmanager_t ==============

allow modemmanager_t unlabeled_t:file { getattr map open read };

#============= named_t ==============

allow named_t unlabeled_t:file { open write };

#============= nfsd_t ==============

allow nfsd_t unlabeled_t:file map;

#============= pcscd_t ==============

allow pcscd_t unlabeled_t:file { getattr map open read };

#============= plymouthd_t ==============

allow plymouthd_t unlabeled_t:file { getattr map open read };

#============= policykit_auth_t ==============

allow policykit_auth_t unlabeled_t:file { getattr map open read };

allow policykit_auth_t unlabeled_t:sock_file write;

#============= policykit_t ==============

allow policykit_t unlabeled_t:file { getattr map open read };

allow policykit_t unlabeled_t:sock_file write;

#============= rngd_t ==============

allow rngd_t unlabeled_t:file { getattr map open read };

#============= rpcd_t ==============

allow rpcd_t unlabeled_t:file { getattr map open read };

#============= rtkit_daemon_t ==============

allow rtkit_daemon_t unlabeled_t:file { getattr map open read };


allow rtkit_daemon_t unlabeled_t:sock_file write;

#============= sssd_t ==============

allow sssd_t init_var_run_t:dir read;

allow sssd_t unlabeled_t:file { getattr lock map open read setattr
unlink write };

allow sssd_t unlabeled_t:lnk_file { read unlink };

allow sssd_t unlabeled_t:sock_file { getattr setattr unlink write };

#============= system_dbusd_t ==============

allow system_dbusd_t unlabeled_t:file { getattr map open };

#============= systemd_gpt_generator_t ==============

allow systemd_gpt_generator_t unlabeled_t:file read;

#============= systemd_hostnamed_t ==============

allow systemd_hostnamed_t unlabeled_t:file { getattr map open read };

#============= systemd_localed_t ==============

allow systemd_localed_t unlabeled_t:file { getattr map open read };

#============= systemd_logind_t ==============

allow systemd_logind_t unlabeled_t:file { getattr map open read };

allow systemd_logind_t unlabeled_t:sock_file write;

#============= systemd_resolved_t ==============

allow systemd_resolved_t unlabeled_t:file { getattr map open read };

allow systemd_resolved_t unlabeled_t:lnk_file read;


allow systemd_resolved_t unlabeled_t:sock_file write;

#============= systemd_tmpfiles_t ==============


allow systemd_tmpfiles_t unlabeled_t:file map;

#============= systemd_userdbd_t ==============


allow systemd_userdbd_t unlabeled_t:file { getattr map open read };


allow systemd_userdbd_t unlabeled_t:sock_file write;

#============= vdagent_t ==============


allow vdagent_t unlabeled_t:file { getattr map open read };

#============= virt_qemu_ga_t ==============


allow virt_qemu_ga_t power_unit_file_t:service status;


allow virt_qemu_ga_t unlabeled_t:file { getattr map open read };

#============= xdm_t ==============


allow xdm_t unlabeled_t:file { getattr map open read rename unlink write };


allow xdm_t unlabeled_t:lnk_file read;


allow xdm_t unlabeled_t:sock_file write;

More information about the Virtio-fs mailing list