[PATCH v2] Add SELinux policy for virt
Daniel P. Berrangé
berrange at redhat.com
Mon Apr 26 17:03:10 UTC 2021
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> Sorry for the long delay. This is our first request to ship a policy for
> multiple selinux stores (targeted, mls and minimum).
>
> Changes:
> * Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
> * Add Ghost files representing installed policy modules in all policy stores
> * Rewrite policy compilation script in python
> * Compile the policy module twice (1 version for targeted/minimum - with
> enable_mcs, and 1 for mls - with enable_mls)
> * Manage policy (un)installation using triggers based on which policy
> type is available
>
> The new policy was only tested in "targeted" mode so far and we'll need to make
> sure it works properly in "mls". As for "minimum", we know it will not
> work properly (as is the case of the current policy) by default (some
> other "contrib" policy modules need to be enabled).
> I'd argue there is no point trying to get it to work in "minimum",
> mostly because it (minimum) will be retired soon.
Running a build with this seris causes a tonne of warning messages
on the console:
[1310/1319] Generating virt.pp with a custom command
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
/usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
/usr/share/selinux/devel/include/services/container.if:98: Error: duplicate definition of container_search_lib(). Original definition on 98.
/usr/share/selinux/devel/include/services/container.if:117: Error: duplicate definition of container_exec_lib(). Original definition on 117.
/usr/share/selinux/devel/include/services/container.if:136: Error: duplicate definition of container_read_lib_files(). Original definition on 136.
/usr/share/selinux/devel/include/services/container.if:155: Error: duplicate definition of container_read_share_files(). Original definition on 155.
/usr/share/selinux/devel/include/services/container.if:176: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 176.
/usr/share/selinux/devel/include/services/container.if:197: Error: duplicate definition of container_manage_share_files(). Original definition on 197.
/usr/share/selinux/devel/include/services/container.if:218: Error: duplicate definition of container_manage_share_dirs(). Original definition on 218.
/usr/share/selinux/devel/include/services/container.if:238: Error: duplicate definition of container_exec_share_files(). Original definition on 238.
/usr/share/selinux/devel/include/services/container.if:256: Error: duplicate definition of container_manage_config_files(). Original definition on 256.
/usr/share/selinux/devel/include/services/container.if:275: Error: duplicate definition of container_manage_lib_files(). Original definition on 275.
/usr/share/selinux/devel/include/services/container.if:295: Error: duplicate definition of container_manage_files(). Original definition on 295.
/usr/share/selinux/devel/include/services/container.if:314: Error: duplicate definition of container_manage_dirs(). Original definition on 314.
/usr/share/selinux/devel/include/services/container.if:332: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 332.
/usr/share/selinux/devel/include/services/container.if:368: Error: duplicate definition of container_lib_filetrans(). Original definition on 368.
/usr/share/selinux/devel/include/services/container.if:386: Error: duplicate definition of container_read_pid_files(). Original definition on 386.
/usr/share/selinux/devel/include/services/container.if:405: Error: duplicate definition of container_systemctl(). Original definition on 405.
/usr/share/selinux/devel/include/services/container.if:430: Error: duplicate definition of container_rw_sem(). Original definition on 430.
/usr/share/selinux/devel/include/services/container.if:449: Error: duplicate definition of container_append_file(). Original definition on 449.
/usr/share/selinux/devel/include/services/container.if:467: Error: duplicate definition of container_use_ptys(). Original definition on 467.
/usr/share/selinux/devel/include/services/container.if:485: Error: duplicate definition of container_filetrans_named_content(). Original definition on 485.
/usr/share/selinux/devel/include/services/container.if:549: Error: duplicate definition of container_stream_connect(). Original definition on 549.
/usr/share/selinux/devel/include/services/container.if:570: Error: duplicate definition of container_spc_stream_connect(). Original definition on 570.
/usr/share/selinux/devel/include/services/container.if:591: Error: duplicate definition of container_admin(). Original definition on 591.
/usr/share/selinux/devel/include/services/container.if:638: Error: duplicate definition of container_auth_domtrans(). Original definition on 638.
/usr/share/selinux/devel/include/services/container.if:657: Error: duplicate definition of container_auth_exec(). Original definition on 657.
/usr/share/selinux/devel/include/services/container.if:676: Error: duplicate definition of container_auth_stream_connect(). Original definition on 676.
/usr/share/selinux/devel/include/services/container.if:695: Error: duplicate definition of container_runtime_typebounds(). Original definition on 695.
/usr/share/selinux/devel/include/services/container.if:714: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 714.
/usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of docker_exec_lib(). Original definition on 721.
/usr/share/selinux/devel/include/services/container.if:725: Error: duplicate definition of docker_read_share_files(). Original definition on 725.
/usr/share/selinux/devel/include/services/container.if:729: Error: duplicate definition of docker_exec_share_files(). Original definition on 729.
/usr/share/selinux/devel/include/services/container.if:733: Error: duplicate definition of docker_manage_lib_files(). Original definition on 733.
/usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 738.
/usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of docker_lib_filetrans(). Original definition on 742.
/usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of docker_read_pid_files(). Original definition on 746.
/usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of docker_systemctl(). Original definition on 750.
/usr/share/selinux/devel/include/services/container.if:754: Error: duplicate definition of docker_use_ptys(). Original definition on 754.
/usr/share/selinux/devel/include/services/container.if:758: Error: duplicate definition of docker_stream_connect(). Original definition on 758.
/usr/share/selinux/devel/include/services/container.if:762: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 762.
/usr/share/selinux/devel/include/services/container.if:776: Error: duplicate definition of container_spc_read_state(). Original definition on 776.
/usr/share/selinux/devel/include/services/container.if:795: Error: duplicate definition of container_runtime_domain_template(). Original definition on 795.
/usr/share/selinux/devel/include/services/container.if:833: Error: duplicate definition of container_domain_template(). Original definition on 833.
/usr/share/selinux/devel/include/services/container.if:861: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 861.
../selinux/virt.if:13: Error: duplicate definition of virt_stub_lxc(). Original definition on 13.
../selinux/virt.if:29: Error: duplicate definition of virt_stub_svirt_sandbox_domain(). Original definition on 29.
../selinux/virt.if:45: Error: duplicate definition of virt_stub_container_image(). Original definition on 45.
../selinux/virt.if:51: Error: duplicate definition of virt_stub_svirt_sandbox_file(). Original definition on 51.
../selinux/virt.if:69: Error: duplicate definition of virt_domain_template(). Original definition on 69.
../selinux/virt.if:206: Error: duplicate definition of virt_image(). Original definition on 112.
../selinux/virt.if:228: Error: duplicate definition of virt_getattr_exec(). Original definition on 134.
../selinux/virt.if:248: Error: duplicate definition of virt_domtrans(). Original definition on 152.
../selinux/virt.if:266: Error: duplicate definition of virt_exec(). Original definition on 170.
../selinux/virt.if:286: Error: duplicate definition of virt_stream_connect(). Original definition on 205.
../selinux/virt.if:328: Error: duplicate definition of virt_stream_connect_svirt(). Original definition on 224.
../selinux/virt.if:348: Error: duplicate definition of virt_rw_stream_sockets_svirt(). Original definition on 244.
../selinux/virt.if:366: Error: duplicate definition of virt_attach_tun_iface(). Original definition on 262.
../selinux/virt.if:387: Error: duplicate definition of virt_attach_sandbox_tun_iface(). Original definition on 281.
../selinux/virt.if:406: Error: duplicate definition of virt_read_config(). Original definition on 300.
../selinux/virt.if:427: Error: duplicate definition of virt_manage_config(). Original definition on 321.
../selinux/virt.if:448: Error: duplicate definition of virt_getattr_content(). Original definition on 342.
../selinux/virt.if:466: Error: duplicate definition of virt_read_content(). Original definition on 360.
../selinux/virt.if:504: Error: duplicate definition of virt_write_content(). Original definition on 398.
../selinux/virt.if:522: Error: duplicate definition of virt_read_pid_symlinks(). Original definition on 416.
../selinux/virt.if:543: Error: duplicate definition of virt_read_pid_files(). Original definition on 435.
../selinux/virt.if:566: Error: duplicate definition of virt_manage_pid_dirs(). Original definition on 455.
../selinux/virt.if:590: Error: duplicate definition of virt_manage_pid_files(). Original definition on 477.
../selinux/virt.if:630: Error: duplicate definition of virt_pid_filetrans(). Original definition on 515.
../selinux/virt.if:650: Error: duplicate definition of virt_search_lib(). Original definition on 533.
../selinux/virt.if:669: Error: duplicate definition of virt_read_lib_files(). Original definition on 552.
../selinux/virt.if:690: Error: duplicate definition of virt_dontaudit_read_lib_files(). Original definition on 573.
../selinux/virt.if:709: Error: duplicate definition of virt_manage_lib_files(). Original definition on 592.
../selinux/virt.if:729: Error: duplicate definition of virt_read_log(). Original definition on 612.
../selinux/virt.if:749: Error: duplicate definition of virt_append_log(). Original definition on 632.
../selinux/virt.if:768: Error: duplicate definition of virt_manage_log(). Original definition on 651.
../selinux/virt.if:788: Error: duplicate definition of virt_getattr_images(). Original definition on 671.
../selinux/virt.if:807: Error: duplicate definition of virt_search_images(). Original definition on 690.
../selinux/virt.if:826: Error: duplicate definition of virt_read_images(). Original definition on 709.
../selinux/virt.if:863: Error: duplicate definition of virt_read_blk_images(). Original definition on 746.
../selinux/virt.if:881: Error: duplicate definition of virt_rw_chr_files(). Original definition on 764.
../selinux/virt.if:900: Error: duplicate definition of virt_manage_cache(). Original definition on 783.
../selinux/virt.if:921: Error: duplicate definition of virt_manage_images(). Original definition on 804.
../selinux/virt.if:946: Error: duplicate definition of virt_manage_default_image_type(). Original definition on 829.
../selinux/virt.if:986: Error: duplicate definition of virt_systemctl(). Original definition on 851.
../selinux/virt.if:1010: Error: duplicate definition of virt_ptrace(). Original definition on 875.
../selinux/virt.if:1028: Error: duplicate definition of virt_exec_sandbox_files(). Original definition on 893.
../selinux/virt.if:1047: Error: duplicate definition of virt_sandbox_entrypoint(). Original definition on 912.
../selinux/virt.if:1064: Error: duplicate definition of virt_list_sandbox_dirs(). Original definition on 929.
../selinux/virt.if:1082: Error: duplicate definition of virt_read_sandbox_files(). Original definition on 947.
../selinux/virt.if:1102: Error: duplicate definition of virt_manage_sandbox_files(). Original definition on 967.
../selinux/virt.if:1125: Error: duplicate definition of virt_getattr_sandbox_filesystem(). Original definition on 990.
../selinux/virt.if:1143: Error: duplicate definition of virt_relabel_sandbox_filesystem(). Original definition on 1008.
../selinux/virt.if:1161: Error: duplicate definition of virt_mounton_sandbox_file(). Original definition on 1026.
../selinux/virt.if:1179: Error: duplicate definition of virt_stream_connect_sandbox(). Original definition on 1044.
../selinux/virt.if:1207: Error: duplicate definition of virt_transition_svirt(). Original definition on 1072.
../selinux/virt.if:1241: Error: duplicate definition of virt_dontaudit_write_pipes(). Original definition on 1106.
../selinux/virt.if:1260: Error: duplicate definition of virt_kill_svirt(). Original definition on 1125.
../selinux/virt.if:1278: Error: duplicate definition of virt_kill(). Original definition on 1143.
../selinux/virt.if:1298: Error: duplicate definition of virt_signal(). Original definition on 1161.
../selinux/virt.if:1318: Error: duplicate definition of virt_signull(). Original definition on 1179.
../selinux/virt.if:1338: Error: duplicate definition of virt_signal_svirt(). Original definition on 1197.
../selinux/virt.if:1356: Error: duplicate definition of virt_signal_sandbox(). Original definition on 1215.
../selinux/virt.if:1374: Error: duplicate definition of virt_manage_home_files(). Original definition on 1233.
../selinux/virt.if:1394: Error: duplicate definition of virt_read_tmpfs_files(). Original definition on 1253.
../selinux/virt.if:1413: Error: duplicate definition of virt_manage_tmpfs_files(). Original definition on 1272.
../selinux/virt.if:1432: Error: duplicate definition of virt_filetrans_home_content(). Original definition on 1291.
../selinux/virt.if:1462: Error: duplicate definition of virt_dontaudit_read_chr_dev(). Original definition on 1321.
../selinux/virt.if:1518: Error: duplicate definition of virt_sandbox_domain_template(). Original definition on 1340.
../selinux/virt.if:1550: Error: duplicate definition of virt_sandbox_domain(). Original definition on 1372.
../selinux/virt.if:1568: Error: duplicate definition of virt_sandbox_net_domain(). Original definition on 1390.
../selinux/virt.if:1605: Error: duplicate definition of virt_exec_qemu(). Original definition on 1409.
../selinux/virt.if:1623: Error: duplicate definition of virt_filetrans_named_content(). Original definition on 1427.
../selinux/virt.if:1651: Error: duplicate definition of virt_transition_svirt_sandbox(). Original definition on 1455.
../selinux/virt.if:1676: Error: duplicate definition of virt_sandbox_read_state(). Original definition on 1480.
../selinux/virt.if:1694: Error: duplicate definition of virt_rw_svirt_dev(). Original definition on 1498.
../selinux/virt.if:1712: Error: duplicate definition of virt_rw_svirt_image(). Original definition on 1516.
../selinux/virt.if:1730: Error: duplicate definition of virt_rlimitinh(). Original definition on 1534.
../selinux/virt.if:1748: Error: duplicate definition of virt_noatsecure(). Original definition on 1552.
../selinux/virt.if:1773: Error: duplicate definition of virt_admin(). Original definition on 1577.
../selinux/virt.if:1820: Error: duplicate definition of virt_default_capabilities(). Original definition on 1622.
../selinux/virt.if:1839: Error: duplicate definition of virt_dbus_chat(). Original definition on 1642.
../selinux/virt.if:1879: Error: duplicate definition of virt_sandbox_domtrans(). Original definition on 1678.
../selinux/virt.if:1897: Error: duplicate definition of virt_dontaudit_read_state(). Original definition on 1696.
../selinux/virt.if:1917: Error: duplicate definition of virt_dgram_send(). Original definition on 1716.
../selinux/virt.if:1956: Error: duplicate definition of virt_svirt_manage_tmp(). Original definition on 1735.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list