On 03/14/2013 10:29 AM, Daniel P. Berrange wrote:
On Wed, Mar 13, 2013 at 12:03:52PM -0400, Stefan Berger wrote:
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
--- src/security/security_selinux.c | 90 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) I imagine we also need to update security_apparmour.c and security_dac.c.
DAC: this seems to only be necessary if the the owner of the device is not root. Typically it is owned by root. I added support for it anyway now. AppArmour: it looks like no other character devices are being labeled so I may not have to do this for the TPM, either (?)
Also src/conf/domain_audit.c will need to emit an audit event when the TPM is configured to use a host device.
type=VIRT_RESOURCE msg=audit(1363292411.635:499): pid=23365 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm resrc=cgroup reason=allow vm="TPM-PT" uuid=a4d7cd22-da89-3094-6212-079a48a309a1 cgroup="/sys/fs/cgroup/devices/libvirt/qemu/TPM-PT/" class=path path=/dev/tpm0 rdev=0A:E0 acl=rw exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' Is this message type sufficient for a host device? Stefan
Daniel