[PATCH v2] Add SELinux policy for virt
Vit Mojzis
vmojzis at redhat.com
Wed Apr 28 08:54:58 UTC 2021
On 4/26/21 7:03 PM, Daniel P. Berrangé wrote:
> On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
>> Sorry for the long delay. This is our first request to ship a policy for
>> multiple selinux stores (targeted, mls and minimum).
>>
>> Changes:
>> * Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
>> * Add Ghost files representing installed policy modules in all policy stores
>> * Rewrite policy compilation script in python
>> * Compile the policy module twice (1 version for targeted/minimum - with
>> enable_mcs, and 1 for mls - with enable_mls)
>> * Manage policy (un)installation using triggers based on which policy
>> type is available
>>
>> The new policy was only tested in "targeted" mode so far and we'll need to make
>> sure it works properly in "mls". As for "minimum", we know it will not
>> work properly (as is the case of the current policy) by default (some
>> other "contrib" policy modules need to be enabled).
>> I'd argue there is no point trying to get it to work in "minimum",
>> mostly because it (minimum) will be retired soon.
> Running a build with this seris causes a tonne of warning messages
> on the console:
>
> [1310/1319] Generating virt.pp with a custom command
> /usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
> /usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
> /usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
> /usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
> /usr/share/selinux/devel/include/services/container.if:98: Error: duplicate definition of container_search_lib(). Original definition on 98.
> /usr/share/selinux/devel/include/services/container.if:117: Error: duplicate definition of container_exec_lib(). Original definition on 117.
> /usr/share/selinux/devel/include/services/container.if:136: Error: duplicate definition of container_read_lib_files(). Original definition on 136.
> /usr/share/selinux/devel/include/services/container.if:155: Error: duplicate definition of container_read_share_files(). Original definition on 155.
> /usr/share/selinux/devel/include/services/container.if:176: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 176.
> /usr/share/selinux/devel/include/services/container.if:197: Error: duplicate definition of container_manage_share_files(). Original definition on 197.
> /usr/share/selinux/devel/include/services/container.if:218: Error: duplicate definition of container_manage_share_dirs(). Original definition on 218.
> /usr/share/selinux/devel/include/services/container.if:238: Error: duplicate definition of container_exec_share_files(). Original definition on 238.
> /usr/share/selinux/devel/include/services/container.if:256: Error: duplicate definition of container_manage_config_files(). Original definition on 256.
> /usr/share/selinux/devel/include/services/container.if:275: Error: duplicate definition of container_manage_lib_files(). Original definition on 275.
> /usr/share/selinux/devel/include/services/container.if:295: Error: duplicate definition of container_manage_files(). Original definition on 295.
> /usr/share/selinux/devel/include/services/container.if:314: Error: duplicate definition of container_manage_dirs(). Original definition on 314.
> /usr/share/selinux/devel/include/services/container.if:332: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 332.
> /usr/share/selinux/devel/include/services/container.if:368: Error: duplicate definition of container_lib_filetrans(). Original definition on 368.
> /usr/share/selinux/devel/include/services/container.if:386: Error: duplicate definition of container_read_pid_files(). Original definition on 386.
> /usr/share/selinux/devel/include/services/container.if:405: Error: duplicate definition of container_systemctl(). Original definition on 405.
> /usr/share/selinux/devel/include/services/container.if:430: Error: duplicate definition of container_rw_sem(). Original definition on 430.
> /usr/share/selinux/devel/include/services/container.if:449: Error: duplicate definition of container_append_file(). Original definition on 449.
> /usr/share/selinux/devel/include/services/container.if:467: Error: duplicate definition of container_use_ptys(). Original definition on 467.
> /usr/share/selinux/devel/include/services/container.if:485: Error: duplicate definition of container_filetrans_named_content(). Original definition on 485.
> /usr/share/selinux/devel/include/services/container.if:549: Error: duplicate definition of container_stream_connect(). Original definition on 549.
> /usr/share/selinux/devel/include/services/container.if:570: Error: duplicate definition of container_spc_stream_connect(). Original definition on 570.
> /usr/share/selinux/devel/include/services/container.if:591: Error: duplicate definition of container_admin(). Original definition on 591.
> /usr/share/selinux/devel/include/services/container.if:638: Error: duplicate definition of container_auth_domtrans(). Original definition on 638.
> /usr/share/selinux/devel/include/services/container.if:657: Error: duplicate definition of container_auth_exec(). Original definition on 657.
> /usr/share/selinux/devel/include/services/container.if:676: Error: duplicate definition of container_auth_stream_connect(). Original definition on 676.
> /usr/share/selinux/devel/include/services/container.if:695: Error: duplicate definition of container_runtime_typebounds(). Original definition on 695.
> /usr/share/selinux/devel/include/services/container.if:714: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 714.
> /usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of docker_exec_lib(). Original definition on 721.
> /usr/share/selinux/devel/include/services/container.if:725: Error: duplicate definition of docker_read_share_files(). Original definition on 725.
> /usr/share/selinux/devel/include/services/container.if:729: Error: duplicate definition of docker_exec_share_files(). Original definition on 729.
> /usr/share/selinux/devel/include/services/container.if:733: Error: duplicate definition of docker_manage_lib_files(). Original definition on 733.
> /usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 738.
> /usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of docker_lib_filetrans(). Original definition on 742.
> /usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of docker_read_pid_files(). Original definition on 746.
> /usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of docker_systemctl(). Original definition on 750.
> /usr/share/selinux/devel/include/services/container.if:754: Error: duplicate definition of docker_use_ptys(). Original definition on 754.
> /usr/share/selinux/devel/include/services/container.if:758: Error: duplicate definition of docker_stream_connect(). Original definition on 758.
> /usr/share/selinux/devel/include/services/container.if:762: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 762.
> /usr/share/selinux/devel/include/services/container.if:776: Error: duplicate definition of container_spc_read_state(). Original definition on 776.
> /usr/share/selinux/devel/include/services/container.if:795: Error: duplicate definition of container_runtime_domain_template(). Original definition on 795.
> /usr/share/selinux/devel/include/services/container.if:833: Error: duplicate definition of container_domain_template(). Original definition on 833.
> /usr/share/selinux/devel/include/services/container.if:861: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 861.
> ../selinux/virt.if:13: Error: duplicate definition of virt_stub_lxc(). Original definition on 13.
> ../selinux/virt.if:29: Error: duplicate definition of virt_stub_svirt_sandbox_domain(). Original definition on 29.
> ../selinux/virt.if:45: Error: duplicate definition of virt_stub_container_image(). Original definition on 45.
> ../selinux/virt.if:51: Error: duplicate definition of virt_stub_svirt_sandbox_file(). Original definition on 51.
> ../selinux/virt.if:69: Error: duplicate definition of virt_domain_template(). Original definition on 69.
> ../selinux/virt.if:206: Error: duplicate definition of virt_image(). Original definition on 112.
> ../selinux/virt.if:228: Error: duplicate definition of virt_getattr_exec(). Original definition on 134.
> ../selinux/virt.if:248: Error: duplicate definition of virt_domtrans(). Original definition on 152.
> ../selinux/virt.if:266: Error: duplicate definition of virt_exec(). Original definition on 170.
> ../selinux/virt.if:286: Error: duplicate definition of virt_stream_connect(). Original definition on 205.
> ../selinux/virt.if:328: Error: duplicate definition of virt_stream_connect_svirt(). Original definition on 224.
> ../selinux/virt.if:348: Error: duplicate definition of virt_rw_stream_sockets_svirt(). Original definition on 244.
> ../selinux/virt.if:366: Error: duplicate definition of virt_attach_tun_iface(). Original definition on 262.
> ../selinux/virt.if:387: Error: duplicate definition of virt_attach_sandbox_tun_iface(). Original definition on 281.
> ../selinux/virt.if:406: Error: duplicate definition of virt_read_config(). Original definition on 300.
> ../selinux/virt.if:427: Error: duplicate definition of virt_manage_config(). Original definition on 321.
> ../selinux/virt.if:448: Error: duplicate definition of virt_getattr_content(). Original definition on 342.
> ../selinux/virt.if:466: Error: duplicate definition of virt_read_content(). Original definition on 360.
> ../selinux/virt.if:504: Error: duplicate definition of virt_write_content(). Original definition on 398.
> ../selinux/virt.if:522: Error: duplicate definition of virt_read_pid_symlinks(). Original definition on 416.
> ../selinux/virt.if:543: Error: duplicate definition of virt_read_pid_files(). Original definition on 435.
> ../selinux/virt.if:566: Error: duplicate definition of virt_manage_pid_dirs(). Original definition on 455.
> ../selinux/virt.if:590: Error: duplicate definition of virt_manage_pid_files(). Original definition on 477.
> ../selinux/virt.if:630: Error: duplicate definition of virt_pid_filetrans(). Original definition on 515.
> ../selinux/virt.if:650: Error: duplicate definition of virt_search_lib(). Original definition on 533.
> ../selinux/virt.if:669: Error: duplicate definition of virt_read_lib_files(). Original definition on 552.
> ../selinux/virt.if:690: Error: duplicate definition of virt_dontaudit_read_lib_files(). Original definition on 573.
> ../selinux/virt.if:709: Error: duplicate definition of virt_manage_lib_files(). Original definition on 592.
> ../selinux/virt.if:729: Error: duplicate definition of virt_read_log(). Original definition on 612.
> ../selinux/virt.if:749: Error: duplicate definition of virt_append_log(). Original definition on 632.
> ../selinux/virt.if:768: Error: duplicate definition of virt_manage_log(). Original definition on 651.
> ../selinux/virt.if:788: Error: duplicate definition of virt_getattr_images(). Original definition on 671.
> ../selinux/virt.if:807: Error: duplicate definition of virt_search_images(). Original definition on 690.
> ../selinux/virt.if:826: Error: duplicate definition of virt_read_images(). Original definition on 709.
> ../selinux/virt.if:863: Error: duplicate definition of virt_read_blk_images(). Original definition on 746.
> ../selinux/virt.if:881: Error: duplicate definition of virt_rw_chr_files(). Original definition on 764.
> ../selinux/virt.if:900: Error: duplicate definition of virt_manage_cache(). Original definition on 783.
> ../selinux/virt.if:921: Error: duplicate definition of virt_manage_images(). Original definition on 804.
> ../selinux/virt.if:946: Error: duplicate definition of virt_manage_default_image_type(). Original definition on 829.
> ../selinux/virt.if:986: Error: duplicate definition of virt_systemctl(). Original definition on 851.
> ../selinux/virt.if:1010: Error: duplicate definition of virt_ptrace(). Original definition on 875.
> ../selinux/virt.if:1028: Error: duplicate definition of virt_exec_sandbox_files(). Original definition on 893.
> ../selinux/virt.if:1047: Error: duplicate definition of virt_sandbox_entrypoint(). Original definition on 912.
> ../selinux/virt.if:1064: Error: duplicate definition of virt_list_sandbox_dirs(). Original definition on 929.
> ../selinux/virt.if:1082: Error: duplicate definition of virt_read_sandbox_files(). Original definition on 947.
> ../selinux/virt.if:1102: Error: duplicate definition of virt_manage_sandbox_files(). Original definition on 967.
> ../selinux/virt.if:1125: Error: duplicate definition of virt_getattr_sandbox_filesystem(). Original definition on 990.
> ../selinux/virt.if:1143: Error: duplicate definition of virt_relabel_sandbox_filesystem(). Original definition on 1008.
> ../selinux/virt.if:1161: Error: duplicate definition of virt_mounton_sandbox_file(). Original definition on 1026.
> ../selinux/virt.if:1179: Error: duplicate definition of virt_stream_connect_sandbox(). Original definition on 1044.
> ../selinux/virt.if:1207: Error: duplicate definition of virt_transition_svirt(). Original definition on 1072.
> ../selinux/virt.if:1241: Error: duplicate definition of virt_dontaudit_write_pipes(). Original definition on 1106.
> ../selinux/virt.if:1260: Error: duplicate definition of virt_kill_svirt(). Original definition on 1125.
> ../selinux/virt.if:1278: Error: duplicate definition of virt_kill(). Original definition on 1143.
> ../selinux/virt.if:1298: Error: duplicate definition of virt_signal(). Original definition on 1161.
> ../selinux/virt.if:1318: Error: duplicate definition of virt_signull(). Original definition on 1179.
> ../selinux/virt.if:1338: Error: duplicate definition of virt_signal_svirt(). Original definition on 1197.
> ../selinux/virt.if:1356: Error: duplicate definition of virt_signal_sandbox(). Original definition on 1215.
> ../selinux/virt.if:1374: Error: duplicate definition of virt_manage_home_files(). Original definition on 1233.
> ../selinux/virt.if:1394: Error: duplicate definition of virt_read_tmpfs_files(). Original definition on 1253.
> ../selinux/virt.if:1413: Error: duplicate definition of virt_manage_tmpfs_files(). Original definition on 1272.
> ../selinux/virt.if:1432: Error: duplicate definition of virt_filetrans_home_content(). Original definition on 1291.
> ../selinux/virt.if:1462: Error: duplicate definition of virt_dontaudit_read_chr_dev(). Original definition on 1321.
> ../selinux/virt.if:1518: Error: duplicate definition of virt_sandbox_domain_template(). Original definition on 1340.
> ../selinux/virt.if:1550: Error: duplicate definition of virt_sandbox_domain(). Original definition on 1372.
> ../selinux/virt.if:1568: Error: duplicate definition of virt_sandbox_net_domain(). Original definition on 1390.
> ../selinux/virt.if:1605: Error: duplicate definition of virt_exec_qemu(). Original definition on 1409.
> ../selinux/virt.if:1623: Error: duplicate definition of virt_filetrans_named_content(). Original definition on 1427.
> ../selinux/virt.if:1651: Error: duplicate definition of virt_transition_svirt_sandbox(). Original definition on 1455.
> ../selinux/virt.if:1676: Error: duplicate definition of virt_sandbox_read_state(). Original definition on 1480.
> ../selinux/virt.if:1694: Error: duplicate definition of virt_rw_svirt_dev(). Original definition on 1498.
> ../selinux/virt.if:1712: Error: duplicate definition of virt_rw_svirt_image(). Original definition on 1516.
> ../selinux/virt.if:1730: Error: duplicate definition of virt_rlimitinh(). Original definition on 1534.
> ../selinux/virt.if:1748: Error: duplicate definition of virt_noatsecure(). Original definition on 1552.
> ../selinux/virt.if:1773: Error: duplicate definition of virt_admin(). Original definition on 1577.
> ../selinux/virt.if:1820: Error: duplicate definition of virt_default_capabilities(). Original definition on 1622.
> ../selinux/virt.if:1839: Error: duplicate definition of virt_dbus_chat(). Original definition on 1642.
> ../selinux/virt.if:1879: Error: duplicate definition of virt_sandbox_domtrans(). Original definition on 1678.
> ../selinux/virt.if:1897: Error: duplicate definition of virt_dontaudit_read_state(). Original definition on 1696.
> ../selinux/virt.if:1917: Error: duplicate definition of virt_dgram_send(). Original definition on 1716.
> ../selinux/virt.if:1956: Error: duplicate definition of virt_svirt_manage_tmp(). Original definition on 1735.
Those are expected as long as there is still virt.if interface file
shipped by selinux-policy-* packages (we'll probably change the tone to
Warning instead of Error in the future). Unfortunately they add up (you
can see container-selinux messages as well).
I can hide them in the compilation script if you prefer that.
Regards,
Vit
>
> Regards,
> Daniel
More information about the libvir-list
mailing list