[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: qemu-ga guest-exec & SELinux
From: |
Daniel P . Berrangé |
Subject: |
Re: qemu-ga guest-exec & SELinux |
Date: |
Tue, 21 Jun 2022 10:30:33 +0100 |
User-agent: |
Mutt/2.2.1 (2022-02-19) |
On Tue, Jun 21, 2022 at 10:42:39AM +0200, Renaud Métrich wrote:
> Hi there,
>
> I'm the BZ reporter.
>
> I think the safe solution is to provide something similar to what was done
> for vmtools: have a context switching to become sort of "unconfined" domain.
>
> This context switch has to happen only the executor and we already have a
> solution, I documented it in the BZ.
>
> I don't think having an additional boolean is necessary, unless we want to
> restrict the commands the guest can execute.
If we allow QGA to execute arbitrary commands, running those commands
unconfined_t, then what is the point of having any SELinux policy
for QGA at all. It can just execute "/bin/sh" or "/bin/perl", passing
any script commands it wants, having them run as unconfined_t and thus
escape all SELinux confinement of QGA.
I didn't realize that we in fact already allowed runing any command
labelled bin_t. That already makes the QGA policy useless as a security
measure and should be addressed IMHO by putting that existing rul;e
behind a boolean, defaulting to disabled.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|