[PATCH v2] Add SELinux policy for virt

Vit Mojzis vmojzis at redhat.com
Wed Apr 7 13:14:58 UTC 2021


Sorry for the long delay. This is our first request to ship a policy for
multiple selinux stores (targeted, mls and minimum).

Changes:
* Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
* Add Ghost files representing installed policy modules in all policy stores
* Rewrite policy compilation script in python
* Compile the policy module twice (1 version for targeted/minimum - with 
  enable_mcs, and 1 for mls - with enable_mls)
* Manage policy (un)installation using triggers based on which policy
  type is available

The new policy was only tested in "targeted" mode so far and we'll need to make 
sure it works properly in "mls". As for "minimum", we know it will not
work properly (as is the case of the current policy) by default (some 
other "contrib" policy modules need to be enabled).
I'd argue there is no point trying to get it to work in "minimum",
mostly because it (minimum) will be retired soon.





More information about the libvir-list mailing list