[refpolicy] kernel_devices.patch
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 7 08:23:59 CDT 2010
On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
>>
>> vhost_device_t added for libvirt/qemu
>>
>> /dev/usbmon device added
>>
>> Added default label for /sys so libvirt could relabel to it.
>
> I don't understand this. There should be no files labeled sysfs_t,
> except for the entries created by the kernel on the fs itself, which get
> the right label already.
>
>> lots of new interfaces.
>
> Otherwise merged.
>
libvirt currently does the equivalent of
chcon svirt_t:MCS1 DEVICE
Run QEMU
restorecon DEVICE
If /sys is <<none>> then it does not have a label to change the context
back to. And leaves the context with a label svirt_t:MCS1. If it later
picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
More information about the refpolicy
mailing list