On Tue, Jun 21, 2022 at 10:42:39AM +0200, Renaud Métrich wrote:
Hi there,
I'm the BZ reporter.
I think the safe solution is to provide something similar to what was done for vmtools: have a context switching to become sort of "unconfined" domain.
This context switch has to happen only the executor and we already have a solution, I documented it in the BZ.
I don't think having an additional boolean is necessary, unless we want to restrict the commands the guest can execute.
If we allow QGA to execute arbitrary commands, running those commands unconfined_t, then what is the point of having any SELinux policy for QGA at all. It can just execute "/bin/sh" or "/bin/perl", passing any script commands it wants, having them run as unconfined_t and thus escape all SELinux confinement of QGA.
I didn't realize that we in fact already allowed runing any command labelled bin_t. That already makes the QGA policy useless as a security measure and should be addressed IMHO by putting that existing rul;e behind a boolean, defaulting to disabled.
With regards, Daniel
selinux@lists.fedoraproject.org