[Qemu-devel] Capabilities in default SELinux policy for QEMU

[Blue Swirl]

Hi,

It looks like the reference SELinux policy for QEMU is too restrictive
for 9pfs (and user emulators) and also too permissive for any other
uses.

Excerpts from policy/modules/contrib/qemu.if:

template(`qemu_domain_template',`
        allow $1_t self:capability { dac_read_search dac_override };
')

9pfs needs more capabilities, at least chown, fowner, fsetid, mknod
and setfcap. See also virtfs-proxy-helper.c:121, which for some reason
doesn't specify dac_override (needed to override permissions) or
setfcap (for extended attributes using FS capabilities) and I don't
think setgid or setuid should be needed since there's fsetid. The
protocol does not support passing Linux immutable attribute, so
linux_immutable is not needed. The capabilities should be restricted
to virtfs-proxy-helper only.

Linux user emulators could exercise probably much wider set of
capabilities, but maybe that case isn't so interesting.

However, for use of QEMU without 9pfs, no capabilities should be
necessary, so I'd make the capabilities tunable and off by default. Of
course if QEMU is not run with the capabilities enabled in the first
place (as non-root user), the capabilities don't matter much.