Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 432096

Summary: app-emulation/spice-vdagent request for selinux policy support
Product: Gentoo Linux Reporter: Michael Mair-Keimberger (iamnr3) <mmk>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Severity: minor CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r4
Package list:
Runtime testing required: ---

Description Michael Mair-Keimberger (iamnr3) 2012-08-20 17:53:45 UTC
Since a few days i'm playing around with spice. Eventually also on a selinux gentoo. However, in the first place it didn't work on such a system  until i disable all security feature's with paxctl.
Right now the "spice-vdagent" executable looks like this, which works:

baltix ~ # paxctl -v /usr/bin/spice-vdagent
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <>

- PaX flags: -p-s-m-x-e-r [/usr/bin/spice-vdagent]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled

However, i also just play around with selinux and i guess such changes to executables are usually handled with the "selinux" useflag (which is not present right now) and therefore with policies.

I also search the web for such an policy and found that [1] but unfortunately i don't know how to implement new policies so i hope someone can add one :)

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-22 21:20:38 UTC
I couldn't immediately find a reference in that bug where the policy itself is at, but refpolicy already holds a policy for vdagent (which I believe is the same thing, not?)

However, that policy confined the spice-vdagentd (daemon), whereas your path looks like a client-side package. In any case, I'll add in selinux-vdagent to support the daemon to start with.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-24 17:37:49 UTC
rev4 is in hardened-dev overlay, which includes the selinux-vdagent policy. When it hits the main tree, I'll also add in the dependency on splace towards this policy (can't do it sooner for obvious reasons).
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-22 11:32:47 UTC
In main tree, ~arch'ed (rev 5)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-04 18:32:37 UTC