662188 – kernel_t shouldn't be MCS constrained (error when accessing block device that is MCS constrained)

Bug 662188 - kernel_t shouldn't be MCS constrained (error when accessing block device that is MCS constrained)

Summary: kernel_t shouldn't be MCS constrained (error when accessing block device that...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-07-26 14:54 UTC by dkjii
Modified:	2018-07-26 14:55 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
AVC log and blame log (selinux-kernel-avc.log,1.23 KB, text/plain) 2018-07-26 14:55 UTC, dkjii	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dkjii 2018-07-26 14:54:39 UTC

I use qemu://session for my VMs, and when using directly a block device, qemu (sVirt) will relabel the fixed_disk_device_t to virt_image_t:s0:CATEGORY

On disconnect, this prevent the kernel from reaping/removing the device

I went on #selinux and grift commented that "MCS constrained should be opt-in, so the kernel should not be constrained"

i.e. "or (t1 != mcs_constrained_type) and (t2 == domain -Fail-)" should only be "or (t1 != msc_constrained_type)" for the write constrain (not sure about the other ones)

Nonetheless, the kernel_t should not be constrained, so for now I fixed it with a local policy of:
typeattribute kernel_t mcsreadall;
typeattribute kernel_t mcswriteall;

Comment 1 dkjii 2018-07-26 14:55:56 UTC

Created attachment 541114 [details]
AVC log and blame log