From 5d34a85eae60726282f13ecbd44222d8e403ab58 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 2 Sep 2024 18:39:29 +0200 Subject: [PATCH 1/2] Allow virtstoraged get attributes of configfs dirs The commit addresses the following AVC denial: type=AVC msg=audit(1724038118.935:800): avc: denied { getattr } for pid=16121 comm="daemon-init" path="/sys/kernel/config" dev="configfs" ino=6163 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1 Resolves: rhbz#2305656 --- policy/modules/contrib/virt.te | 1 + policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 6a7ab05fcb..504ec6eef6 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2339,6 +2339,7 @@ kernel_io_uring_use(virtstoraged_t) corecmd_exec_bin(virtstoraged_t) fs_getattr_all_fs(virtstoraged_t) +fs_getattr_configfs_dirs(virtstoraged_t) userdom_read_user_home_content_files(virtstoraged_t) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index ddf32d8c85..5a874c341f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2062,6 +2062,24 @@ interface(`fs_dontaudit_write_configfs_dirs',` dontaudit $1 configfs_t:dir write; ') +####################################### +## +## Getattr dirs on a configfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_configfs_dirs',` + gen_require(` + type configfs_t; + ') + + allow $1 configfs_t:dir getattr; +') + ####################################### ## ## Read dirs From fa05e07b359e76f7eefe98b9432a4a871ae2da9e Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 2 Sep 2024 18:31:09 +0200 Subject: [PATCH 2/2] Update policy for rpc-virtstorage In particular, domain transition on udev and parted execution and r/w operations on fixed disk devices were allowed. Resolves: rhbz#2305564 --- policy/modules/contrib/virt.te | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 504ec6eef6..b634ab90ac 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -2334,6 +2334,7 @@ manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t) +kernel_get_sysvipc_info(virtstoraged_t) kernel_io_uring_use(virtstoraged_t) corecmd_exec_bin(virtstoraged_t) @@ -2341,16 +2342,27 @@ corecmd_exec_bin(virtstoraged_t) fs_getattr_all_fs(virtstoraged_t) fs_getattr_configfs_dirs(virtstoraged_t) +storage_raw_read_fixed_disk(virtstoraged_t) +storage_raw_write_fixed_disk(virtstoraged_t) + userdom_read_user_home_content_files(virtstoraged_t) optional_policy(` dnsmasq_filetrans_named_content_fromdir(virtstoraged_t, virtstoraged_var_run_t) ') +optional_policy(` + fstools_domtrans(virtstoraged_t) +') + optional_policy(` lvm_domtrans(virtstoraged_t) ') +optional_policy(` + udev_domtrans(virtstoraged_t) +') + ####################################### # # virtvboxd local policy