Christopher J. PeBenito
cpebenito at tresys.com
Mon Jun 7 08:39:15 CDT 2010
On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> >> Added default label for /sys so libvirt could relabel to it.
> > I don't understand this. There should be no files labeled sysfs_t,
> > except for the entries created by the kernel on the fs itself, which get
> > the right label already.
> libvirt currently does the equivalent of
> chcon svirt_t:MCS1 DEVICE
> Run QEMU
> restorecon DEVICE
> If /sys is <<none>> then it does not have a label to change the context
> back to. And leaves the context with a label svirt_t:MCS1. If it later
> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
I still don't understand. There are no device nodes in sysfs.
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy