On Mon, Mar 06, 2023 at 09:03:42AM +, Daniel P. Berrangé wrote:
> On Fri, Mar 03, 2023 at 07:46:27PM -0500, Laine Stump wrote:
> > On 3/3/23 1:36 PM, Daniel P. Berrangé wrote:
> > > On Fri, Mar 03, 2023 at 10:18:39AM -0800, Andrea Bolognani wrote:
> > > > I still don't understand why we can't
On Fri, Mar 03, 2023 at 07:56:18PM -0500, Laine Stump wrote:
> On 3/3/23 10:44 AM, Daniel P. Berrangé wrote:
> > On Fri, Mar 03, 2023 at 10:03:02AM -0500, Laine Stump wrote:
> > > On 2/23/23 5:47 AM, Daniel P. Berrangé wrote:
> > > >
> > > > This really isn't difficult to do in the security
On Fri, Mar 03, 2023 at 07:46:27PM -0500, Laine Stump wrote:
> On 3/3/23 1:36 PM, Daniel P. Berrangé wrote:
> > On Fri, Mar 03, 2023 at 10:18:39AM -0800, Andrea Bolognani wrote:
> > > On Fri, Mar 03, 2023 at 06:06:05PM +, Daniel P. Berrangé wrote:
> > > > On Fri, Mar 03, 2023 at 09:56:55AM
On 3/3/23 10:44 AM, Daniel P. Berrangé wrote:
On Fri, Mar 03, 2023 at 10:03:02AM -0500, Laine Stump wrote:
On 2/23/23 5:47 AM, Daniel P. Berrangé wrote:
This really isn't difficult to do in the security manager IMHO. It is
just a variation on the existing
On 3/3/23 1:36 PM, Daniel P. Berrangé wrote:
On Fri, Mar 03, 2023 at 10:18:39AM -0800, Andrea Bolognani wrote:
On Fri, Mar 03, 2023 at 06:06:05PM +, Daniel P. Berrangé wrote:
On Fri, Mar 03, 2023 at 09:56:55AM -0800, Andrea Bolognani wrote:
Right, but wouldn't the idea of poking at the
On Fri, Mar 03, 2023 at 10:18:39AM -0800, Andrea Bolognani wrote:
> On Fri, Mar 03, 2023 at 06:06:05PM +, Daniel P. Berrangé wrote:
> > On Fri, Mar 03, 2023 at 09:56:55AM -0800, Andrea Bolognani wrote:
> > > Right, but wouldn't the idea of poking at the filesystem to retrieve
> > > the label
On Fri, Mar 03, 2023 at 06:06:05PM +, Daniel P. Berrangé wrote:
> On Fri, Mar 03, 2023 at 09:56:55AM -0800, Andrea Bolognani wrote:
> > Right, but wouldn't the idea of poking at the filesystem to retrieve
> > the label from the binary (passt_exec_t) and then applying a text
> > transformation
On Fri, Mar 03, 2023 at 09:56:55AM -0800, Andrea Bolognani wrote:
> On Fri, Mar 03, 2023 at 05:15:43PM +, Daniel P. Berrangé wrote:
> > On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote:
> > > > > Since we know that we're launching passt and not some other random
> > > > >
On Fri, Mar 03, 2023 at 05:15:43PM +, Daniel P. Berrangé wrote:
> On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote:
> > > > Since we know that we're launching passt and not some other random
> > > > helper, why can't we simply use passt_t directly here? It feels like
> > > >
On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote:
> On Fri, Mar 03, 2023 at 03:47:23PM +, Daniel P. Berrangé wrote:
> > On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote:
> > > I'm in no way a SELinux expert, but the idea of figuring out the
> > > runtime label
On Fri, Mar 03, 2023 at 03:47:23PM +, Daniel P. Berrangé wrote:
> On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote:
> > I'm in no way a SELinux expert, but the idea of figuring out the
> > runtime label for the process based on information found on the
> > filesystem makes me
On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote:
> On Fri, Mar 03, 2023 at 10:03:02AM -0500, Laine Stump wrote:
> > On 2/23/23 5:47 AM, Daniel P. Berrangé wrote:
> > > This really isn't difficult to do in the security manager IMHO. It is
> > > just a variation on the existing
On Fri, Mar 03, 2023 at 10:03:02AM -0500, Laine Stump wrote:
> On 2/23/23 5:47 AM, Daniel P. Berrangé wrote:
> >
> > This really isn't difficult to do in the security manager IMHO. It is
> > just a variation on the existing virSecurityManagerSetChildProcessLabel
> > method, which instead of using
On Fri, Mar 03, 2023 at 10:03:02AM -0500, Laine Stump wrote:
> On 2/23/23 5:47 AM, Daniel P. Berrangé wrote:
> > This really isn't difficult to do in the security manager IMHO. It is
> > just a variation on the existing virSecurityManagerSetChildProcessLabel
> > method, which instead of using the
On 2/23/23 5:47 AM, Daniel P. Berrangé wrote:
On Thu, Feb 23, 2023 at 11:40:00AM +0100, Jiri Denemark wrote:
On Wed, Feb 22, 2023 at 14:21:29 +0100, Stefano Brivio wrote:
qemuSecurityCommandRun() causes an explicit domain transition of the
new process, but passt ships with its own SELinux
On Thu, Feb 23, 2023 at 11:40:00AM +0100, Jiri Denemark wrote:
> On Wed, Feb 22, 2023 at 14:21:29 +0100, Stefano Brivio wrote:
> > qemuSecurityCommandRun() causes an explicit domain transition of the
> > new process, but passt ships with its own SELinux policy, with
> > external interfaces for
On Wed, Feb 22, 2023 at 14:21:29 +0100, Stefano Brivio wrote:
> qemuSecurityCommandRun() causes an explicit domain transition of the
> new process, but passt ships with its own SELinux policy, with
> external interfaces for libvirtd, so we simply need to transition
> from virtd_t to passt_t as
On Wed, 22 Feb 2023 17:38:49 +0100
Michal Prívozník wrote:
> On 2/22/23 16:51, Stefano Brivio wrote:
> > On Wed, 22 Feb 2023 14:30:21 +
> > Daniel P. Berrangé wrote:
> >
> >> On Wed, Feb 22, 2023 at 02:21:29PM +0100, Stefano Brivio wrote:
> >>> qemuSecurityCommandRun() causes an
On 2/22/23 16:51, Stefano Brivio wrote:
> On Wed, 22 Feb 2023 14:30:21 +
> Daniel P. Berrangé wrote:
>
>> On Wed, Feb 22, 2023 at 02:21:29PM +0100, Stefano Brivio wrote:
>>> qemuSecurityCommandRun() causes an explicit domain transition of the
>>> new process, but passt ships with its own
On Wed, 22 Feb 2023 14:30:21 +
Daniel P. Berrangé wrote:
> On Wed, Feb 22, 2023 at 02:21:29PM +0100, Stefano Brivio wrote:
> > qemuSecurityCommandRun() causes an explicit domain transition of the
> > new process, but passt ships with its own SELinux policy, with
> > external interfaces for
On 2/22/23 9:30 AM, Daniel P. Berrangé wrote:
On Wed, Feb 22, 2023 at 02:21:29PM +0100, Stefano Brivio wrote:
qemuSecurityCommandRun() causes an explicit domain transition of the
new process, but passt ships with its own SELinux policy, with
external interfaces for libvirtd, so we simply need
On Wed, Feb 22, 2023 at 02:21:29PM +0100, Stefano Brivio wrote:
> qemuSecurityCommandRun() causes an explicit domain transition of the
> new process, but passt ships with its own SELinux policy, with
> external interfaces for libvirtd, so we simply need to transition
> from virtd_t to passt_t as
qemuSecurityCommandRun() causes an explicit domain transition of the
new process, but passt ships with its own SELinux policy, with
external interfaces for libvirtd, so we simply need to transition
from virtd_t to passt_t as passt is executed. The qemu type
enforcement rules have little to do with
23 matches
Mail list logo