Re: [libvirt] [PATCH V1 4/6] Add SELinux labeling support for TPM
On Thu, Mar 14, 2013 at 04:24:27PM -0400, Stefan Berger wrote:
On 03/14/2013 10:29 AM, Daniel P. Berrange wrote:
>On Wed, Mar 13, 2013 at 12:03:52PM -0400, Stefan Berger wrote:
>>Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
>>
>>---
>> src/security/security_selinux.c | 90
++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 90 insertions(+)
>I imagine we also need to update security_apparmour.c and
>security_dac.c.
DAC: this seems to only be necessary if the the owner of the device
is not root. Typically it is owned by root. I added support for it
anyway now.
AppArmour: it looks like no other character devices are being
labeled so I may not have to do this for the TPM, either (?)
>
>Also src/conf/domain_audit.c will need to emit an audit event when the
>TPM is configured to use a host device.
type=VIRT_RESOURCE msg=audit(1363292411.635:499): pid=23365 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm
resrc=cgroup reason=allow vm="TPM-PT"
uuid=a4d7cd22-da89-3094-6212-079a48a309a1
cgroup="/sys/fs/cgroup/devices/libvirt/qemu/TPM-PT/" class=path
path=/dev/tpm0 rdev=0A:E0 acl=rw exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=? res=success'
Is this message type sufficient for a host device?
No, this is just a generic message related to cgroups setup.
We need to emit explicit audit log for each device in addition
to this, since we cannot assume cgroups is enabled.
We need to extend the virDomainAuditStart method to include
this new device type.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|