Re: [libvirt] [PATCH V1 4/6] Add SELinux labeling support for TPM
On 03/14/2013 10:29 AM, Daniel P. Berrange wrote:
On Wed, Mar 13, 2013 at 12:03:52PM -0400, Stefan Berger wrote:
> Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
>
> ---
> src/security/security_selinux.c | 90 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 90 insertions(+)
I imagine we also need to update security_apparmour.c and
security_dac.c.
DAC: this seems to only be necessary if the the owner of the device is
not root. Typically it is owned by root. I added support for it anyway now.
AppArmour: it looks like no other character devices are being labeled so
I may not have to do this for the TPM, either (?)
Also src/conf/domain_audit.c will need to emit an audit event when the
TPM is configured to use a host device.
type=VIRT_RESOURCE msg=audit(1363292411.635:499): pid=23365 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=cgroup
reason=allow vm="TPM-PT" uuid=a4d7cd22-da89-3094-6212-079a48a309a1
cgroup="/sys/fs/cgroup/devices/libvirt/qemu/TPM-PT/" class=path
path=/dev/tpm0 rdev=0A:E0 acl=rw exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=? res=success'
Is this message type sufficient for a host device?
Stefan
Daniel