[Virtio-fs] What did I miss / SELinux avcs needed for virtiofs root.
Daniel Walsh
dwalsh at redhat.com
Mon Dec 21 20:08:19 UTC 2020
On 12/18/20 12:06, Harry G. Coin wrote:
> Below is the roster of avc / SELinux corrections needed to have a
> virtiofs root on Fedora 33. There has got to be an easier way. Any ideas?
>
> I installed Fedora workstation 33 to a qcow2 file. Then in the VM
> mounted an empty virtiofs backed by xattr enabled host in tmp, did a cp
> -a /, /home and /boot to the virtio fs, added files to dracut to build
> an initramfs that permitted root mounting on the default kernel, and a
> script to generate a link to the latest kernel with an unchanging name
> in /boot for easy direct kernel booting in the vm. then I booted and
> rebooted each time doing 'audit2allow -a -M fileX;semodule -i
> fileX.pp;reboot' until there were no new avcs recorded in the boot process.
>
> Initially I had to add init=/bin/bash to the command line there were so
> many avc's the system wouldn't boot. The following are enough to get
> to a console prompt in a GUI log in without throwing further AVC's.
> Obviously it's the 'unlabeled-t' that's at issue. This is with the
>
> (fsuse xattr virtiofs (system_u object_r fs_t ((s0) (s0))))
>
> in place. Did I miss a mount option? This shouldn't have been so hard,
> I feel like I must have missed something. What?
>
> ----
>
>
> #============= NetworkManager_t ==============
>
> allow NetworkManager_t unlabeled_t:file { map rename unlink write };
>
> allow NetworkManager_t unlabeled_t:lnk_file read;
>
> allow NetworkManager_t unlabeled_t:sock_file write;
>
> #============= abrt_dump_oops_t ==============
>
> allow abrt_dump_oops_t unlabeled_t:sock_file write;
>
> #============= abrt_t ==============
>
> allow abrt_t unlabeled_t:dir { add_name read remove_name write };
>
> allow abrt_t unlabeled_t:file { create map open read };
>
> allow abrt_t unlabeled_t:lnk_file create;
>
> allow abrt_t unlabeled_t:sock_file write;
>
> #============= accountsd_t ==============
>
> allow accountsd_t unlabeled_t:file { getattr map open read rename
> setattr unlink write };
>
> allow accountsd_t unlabeled_t:sock_file write;
>
> #============= alsa_t ==============
>
> allow alsa_t unlabeled_t:file { getattr map open read rename unlink write };
>
> #============= auditd_t ==============
>
> allow auditd_t unlabeled_t:file { getattr map open read };
>
> allow auditd_t unlabeled_t:sock_file write;
>
> #============= avahi_t ==============
>
> allow avahi_t unlabeled_t:file { getattr map open read };
>
> allow avahi_t unlabeled_t:sock_file write;
>
> #============= chkpwd_t ==============
>
> allow chkpwd_t unlabeled_t:file { getattr map open read };
>
> allow chkpwd_t unlabeled_t:sock_file write;
>
> #============= chronyc_t ==============
>
> allow chronyc_t unlabeled_t:file map;
>
> #============= chronyd_t ==============
>
> allow chronyd_t initrc_var_run_t:file read;
>
> allow chronyd_t unlabeled_t:file { getattr map open read rename unlink
> write };
>
> allow chronyd_t unlabeled_t:lnk_file read;
>
> allow chronyd_t unlabeled_t:sock_file write;
>
> #============= colord_t ==============
>
> allow colord_t unlabeled_t:file { getattr map open read };
>
> allow colord_t unlabeled_t:sock_file write;
>
> #============= cupsd_t ==============
>
> allow cupsd_t unlabeled_t:file { getattr map open read rename setattr
> unlink write };
>
> allow cupsd_t unlabeled_t:lnk_file read;
>
> allow cupsd_t unlabeled_t:sock_file write;
>
> #============= firewalld_t ==============
>
> allow firewalld_t unlabeled_t:file { getattr map open read };
>
> allow firewalld_t unlabeled_t:sock_file write;
>
> #============= fprintd_t ==============
>
> allow fprintd_t unlabeled_t:file { getattr map open read };
>
> #============= geoclue_t ==============
>
> allow geoclue_t unlabeled_t:file { getattr map open read };
>
> allow geoclue_t unlabeled_t:lnk_file read;
>
> #============= getty_t ==============
>
> allow getty_t unlabeled_t:file read;
>
> allow getty_t unlabeled_t:sock_file write;
>
> #============= gssproxy_t ==============
>
> allow gssproxy_t unlabeled_t:file { getattr map open read };
>
> allow gssproxy_t unlabeled_t:lnk_file read;
>
> allow gssproxy_t unlabeled_t:sock_file unlink;
>
> #============= init_t ==============
>
> allow init_t unlabeled_t:dir { add_name remove_name rmdir };
>
> allow init_t unlabeled_t:file { map rename setattr unlink write };
>
> allow init_t unlabeled_t:sock_file write;
>
> #============= iptables_t ==============
>
> allow iptables_t unlabeled_t:file { getattr map open read };
>
> #============= iscsid_t ==============
>
> allow iscsid_t unlabeled_t:file { getattr map open read };
>
> #============= kernel_t ==============
>
> allow kernel_t unconfined_t:process transition;
>
> #============= local_login_t ==============
>
> allow local_login_t unlabeled_t:file read;
>
> allow local_login_t unlabeled_t:sock_file write;
>
> #============= logrotate_t ==============
>
> allow logrotate_t unlabeled_t:file { open read write };
>
> allow logrotate_t unlabeled_t:sock_file write;
>
> #============= mandb_t ==============
>
> allow mandb_t unlabeled_t:file { open read unlink write };
>
> #============= mcelog_t ==============
>
> allow mcelog_t unlabeled_t:file { getattr map open read };
>
> allow mcelog_t unlabeled_t:sock_file write;
>
> #============= modemmanager_t ==============
>
> allow modemmanager_t unlabeled_t:file { getattr map open read };
>
> #============= named_t ==============
>
> allow named_t unlabeled_t:file { open write };
>
> #============= nfsd_t ==============
>
> allow nfsd_t unlabeled_t:file map;
>
> #============= pcscd_t ==============
>
> allow pcscd_t unlabeled_t:file { getattr map open read };
>
> #============= plymouthd_t ==============
>
> allow plymouthd_t unlabeled_t:file { getattr map open read };
>
> #============= policykit_auth_t ==============
>
> allow policykit_auth_t unlabeled_t:file { getattr map open read };
>
> allow policykit_auth_t unlabeled_t:sock_file write;
>
> #============= policykit_t ==============
>
> allow policykit_t unlabeled_t:file { getattr map open read };
>
> allow policykit_t unlabeled_t:sock_file write;
>
> #============= rngd_t ==============
>
> allow rngd_t unlabeled_t:file { getattr map open read };
>
> #============= rpcd_t ==============
>
> allow rpcd_t unlabeled_t:file { getattr map open read };
>
> #============= rtkit_daemon_t ==============
>
> allow rtkit_daemon_t unlabeled_t:file { getattr map open read };
>
>
> allow rtkit_daemon_t unlabeled_t:sock_file write;
>
> #============= sssd_t ==============
>
> allow sssd_t init_var_run_t:dir read;
>
> allow sssd_t unlabeled_t:file { getattr lock map open read setattr
> unlink write };
>
> allow sssd_t unlabeled_t:lnk_file { read unlink };
>
> allow sssd_t unlabeled_t:sock_file { getattr setattr unlink write };
>
> #============= system_dbusd_t ==============
>
> allow system_dbusd_t unlabeled_t:file { getattr map open };
>
> #============= systemd_gpt_generator_t ==============
>
> allow systemd_gpt_generator_t unlabeled_t:file read;
>
> #============= systemd_hostnamed_t ==============
>
> allow systemd_hostnamed_t unlabeled_t:file { getattr map open read };
>
> #============= systemd_localed_t ==============
>
> allow systemd_localed_t unlabeled_t:file { getattr map open read };
>
> #============= systemd_logind_t ==============
>
> allow systemd_logind_t unlabeled_t:file { getattr map open read };
>
> allow systemd_logind_t unlabeled_t:sock_file write;
>
> #============= systemd_resolved_t ==============
>
> allow systemd_resolved_t unlabeled_t:file { getattr map open read };
>
> allow systemd_resolved_t unlabeled_t:lnk_file read;
>
>
> allow systemd_resolved_t unlabeled_t:sock_file write;
>
> #============= systemd_tmpfiles_t ==============
>
>
> allow systemd_tmpfiles_t unlabeled_t:file map;
>
> #============= systemd_userdbd_t ==============
>
>
> allow systemd_userdbd_t unlabeled_t:file { getattr map open read };
>
>
> allow systemd_userdbd_t unlabeled_t:sock_file write;
>
> #============= vdagent_t ==============
>
>
> allow vdagent_t unlabeled_t:file { getattr map open read };
>
> #============= virt_qemu_ga_t ==============
>
>
> allow virt_qemu_ga_t power_unit_file_t:service status;
>
>
> allow virt_qemu_ga_t unlabeled_t:file { getattr map open read };
>
> #============= xdm_t ==============
>
>
> allow xdm_t unlabeled_t:file { getattr map open read rename unlink write };
>
>
> allow xdm_t unlabeled_t:lnk_file read;
>
>
> allow xdm_t unlabeled_t:sock_file write;
>
>
>
>
> _______________________________________________
> Virtio-fs mailing list
> Virtio-fs at redhat.com
> https://www.redhat.com/mailman/listinfo/virtio-fs
The problem is the image has no label associated with it, so that it is
treated as unlabeled_t.
From the AVCs, I am seeing it looks like /run directory is part of the
image? If so you should be mounting a tmpfs on /run and not using
virtio for this activity.
More information about the Virtio-fs
mailing list