[PATCH v2 1/4] Add SELinux policy for virt

[Daniel P. Berrangé]

On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
> From: Nikola Knazekova <nknazeko at redhat.com>
> 
> SELinux policy was created for:
> 
> Hypervisor drivers:
> - virtqemud (QEMU/KVM)
> - virtlxcd (LXC)
> - virtvboxd (VirtualBox)
> 
> Secondary drivers:
> - virtstoraged (host storage mgmt)
> - virtnetworkd (virtual network mgmt)
> - virtinterface (network interface mgmt)
> - virtnodedevd (physical device mgmt)
> - virtsecretd (security credential mgmt)
> - virtnwfilterd (ip[6]tables/ebtables mgmt)
> - virtproxyd (proxy daemon)
> 
> SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made.
> 
> Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
> ---
>  libvirt.spec.in |   64 ++

I'd suggest just removing these parts of the patch, since
we're changing it again twice in later patches.

Just add the RPM spec changes attime you add the meson
build rules.

This patch can just be the policy  file import

>  selinux/virt.fc |  111 +++
>  selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
>  selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++

Put these into $GIT/src/security/selinux, since that's alongside
where we store the apparmor policy.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|