...
| Table of Contents |
|---|
Introduction
tIt's been decided that SELinux has to be fully integrated in to XenClientOpenXT's predecessor.
For that, it needs a policy governing every action that every program can do.
...
A good summary of SELinux history can be found here: https://www.ibm.com/developerworks/library/l-secure-linux-ru/
In
...
OpenXT's Predecessor
For now, SELinux is present in dom0 and ndvm, and as of the latest Spindrift release it is enforced from first boot in a Kent installation, permissive for all the other cases.
The default behaviour is defined in "/etc/selinux/config".
You can get the current SELinux state of a VM by running "getenforce".
You can set the current SELinux state of a VM by running "setenforce", followed by 0 for Permissive, 1 for Enforcing.
SELinux is also used to separate QEMU processes from eachother each other using an architecture known as sVirt. Our implementation of sVirt is documented in the XenClient sVirt pagethe OpenXT's predecessor sVirt page.
How it works
SELinux is built on the notion of contexts.
...
The SELinux rules are located in the XenClient git OpenXT's predecessor git repository selinux-policy.
...
First, you need to be in Permissive mode before running your program. Otherwise, SELinux could block it to early to trigger all the denyalsdenials.
Then, get the errors from the logs, those are called AVCs in the SELinux dialect. You can for example try "try grep avc /var/log/messages | grep <program>" , to get <program>'s denials.
Let's for example say that you just added V4V communications to the program fish. " grep avc /var/log/messages | grep fish" , gives you :
[...] avc: denied { open } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
[...] avc: denied { read } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
[...] avc: denied { write } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
...
For our example, there is a macro in "policy/support/obj_perm_sets.spt spt": define(`rw'rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
Let's use it! You can now write :
...
...[a few greps later]...
"policy/modules/system/xc_files.if" defines the interface xc_files_rw_v4v_chr, which take one argument : the source context.
...
Start by copying a small existing XenClient moduleOpenXT's predecessor module, such as angelomachy, replacing of course the occurrences of "angelomachy" by your module name.
...