Re: [libvirt] [PATCH V1 4/6] Add SELinux labeling support for TPM

On Thu, Mar 14, 2013 at 04:24:27PM -0400, Stefan Berger wrote: > On 03/14/2013 10:29 AM, Daniel P. Berrange wrote: >> On Wed, Mar 13, 2013 at 12:03:52PM -0400, Stefan Berger wrote: >>> Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt; >>> >>> --- >>> src/security/security_selinux.c | 90 ++++++++++++++++++++++++++++++++++++++++ >>> 1 file changed, 90 insertions(+) >> I imagine we also need to update security_apparmour.c and >> security_dac.c. > DAC: this seems to only be necessary if the the owner of the device > is not root. Typically it is owned by root. I added support for it > anyway now. > AppArmour: it looks like no other character devices are being > labeled so I may not have to do this for the TPM, either (?) > > >> Also src/conf/domain_audit.c will need to emit an audit event when the >> TPM is configured to use a host device. > type=VIRT_RESOURCE msg=audit(1363292411.635:499): pid=23365 uid=0 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm > resrc=cgroup reason=allow vm="TPM-PT" > uuid=a4d7cd22-da89-3094-6212-079a48a309a1 > cgroup="/sys/fs/cgroup/devices/libvirt/qemu/TPM-PT/" class=path > path=/dev/tpm0 rdev=0A:E0 acl=rw exe="/usr/sbin/libvirtd" hostname=? > addr=? terminal=? res=success' > > Is this message type sufficient for a host device? No, this is just a generic message related to cgroups setup. We need to emit explicit audit log for each device in addition to this, since we cannot assume cgroups is enabled. We need to extend the virDomainAuditStart method to include this new device type.