Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 432096 - app-emulation/spice-vdagent request for selinux policy support
Summary: app-emulation/spice-vdagent request for selinux policy support
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r4
Depends on:
Reported: 2012-08-20 17:53 UTC by Michael Mair-Keimberger (iamnr3)
Modified: 2012-10-04 18:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Mair-Keimberger (iamnr3) 2012-08-20 17:53:45 UTC
Since a few days i'm playing around with spice. Eventually also on a selinux gentoo. However, in the first place it didn't work on such a system  until i disable all security feature's with paxctl.
Right now the "spice-vdagent" executable looks like this, which works:

baltix ~ # paxctl -v /usr/bin/spice-vdagent
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <>

- PaX flags: -p-s-m-x-e-r [/usr/bin/spice-vdagent]
        PAGEEXEC is disabled
        SEGMEXEC is disabled
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled
        RANDMMAP is disabled

However, i also just play around with selinux and i guess such changes to executables are usually handled with the "selinux" useflag (which is not present right now) and therefore with policies.

I also search the web for such an policy and found that [1] but unfortunately i don't know how to implement new policies so i hope someone can add one :)

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-22 21:20:38 UTC
I couldn't immediately find a reference in that bug where the policy itself is at, but refpolicy already holds a policy for vdagent (which I believe is the same thing, not?)

However, that policy confined the spice-vdagentd (daemon), whereas your path looks like a client-side package. In any case, I'll add in selinux-vdagent to support the daemon to start with.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-24 17:37:49 UTC
rev4 is in hardened-dev overlay, which includes the selinux-vdagent policy. When it hits the main tree, I'll also add in the dependency on splace towards this policy (can't do it sooner for obvious reasons).
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-22 11:32:47 UTC
In main tree, ~arch'ed (rev 5)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-04 18:32:37 UTC