The challenge is that the needed allow rule is to permit source type virt_qemu_ga_t to the label on the mounted directory’s type of class dir for permissions read and ioctl. This is addressable for any individual machine because the off-disk mount point is a folder of just the one type but I want to put this fix into my KVM template and that means the target type for this rule could be anything. This prompts me to inquire if anyone has found a way to set the target type to a wildcard in the AV rule?
As an example, here is the audit2allow -a -t virt_qemu_ga_t -M output for 2 machines with the same problem, but different purposes.
On a web server:
Code: Select all
module qemu_ga_snap_fix 1.0;
require {
type httpd_sys_content_t;
type virt_qemu_ga_t;
class dir { ioctl read };
}
#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t httpd_sys_content_t:dir { ioctl read };
Code: Select all
module qemu_ga_snap_fix 1.0;
require {
type mysqld_db_t;
type virt_qemu_ga_t;
class dir { ioctl read };
}
#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t mysqld_db_t:dir { ioctl read };
Code: Select all
allow virt_qemu_ga_t *:dir { ioctl read };
Code: Select all
checkmodule: loading policy configuration from qemu_ga_snap_fix.te
qemu_ga_snap_fix.te:10:ERROR '* not allowed in this type of rule' at token ';' on line 10:
allow virt_qemu_ga_t *:dir { ioctl read };
#============= virt_qemu_ga_t ==============
checkmodule: error(s) encountered while parsing configuration
I tried a combined version with this TE file:
Code: Select all
module qemu_ga_snap_fix 1.0;
require {
type httpd_sys_content_t;
type mysqld_db_t;
type virt_qemu_ga_t;
class dir { ioctl read };
}
#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t {httpd_sys_content_t mysqld_db_t}:dir { ioctl read };
Has anyone found a way to wildcard the target type for an access vector allow rule?
Any help or suggestions would be appreciated.
Thanks,
Scott