[PATCH v2] Add SELinux policy for virt

Daniel P. Berrangé berrange at redhat.com
Wed Apr 28 09:04:19 UTC 2021 

On Wed, Apr 28, 2021 at 10:54:58AM +0200, Vit Mojzis wrote:
> 
> On 4/26/21 7:03 PM, Daniel P. Berrangé wrote:
> > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > Sorry for the long delay. This is our first request to ship a policy for
> > > multiple selinux stores (targeted, mls and minimum).
> > > 
> > > Changes:
> > > * Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
> > > * Add Ghost files representing installed policy modules in all policy stores
> > > * Rewrite policy compilation script in python
> > > * Compile the policy module twice (1 version for targeted/minimum - with
> > >    enable_mcs, and 1 for mls - with enable_mls)
> > > * Manage policy (un)installation using triggers based on which policy
> > >    type is available
> > > 
> > > The new policy was only tested in "targeted" mode so far and we'll need to make
> > > sure it works properly in "mls". As for "minimum", we know it will not
> > > work properly (as is the case of the current policy) by default (some
> > > other "contrib" policy modules need to be enabled).
> > > I'd argue there is no point trying to get it to work in "minimum",
> > > mostly because it (minimum) will be retired soon.
> > Running a build with this seris causes a tonne of warning messages
> > on the console:
> > 
> > [1310/1319] Generating virt.pp with a custom command
> > /usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of container_runtime_domtrans(). Original definition on 13.
> > /usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of container_runtime_run(). Original definition on 40.
> > /usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of container_runtime_exec(). Original definition on 61.
> > /usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of container_read_state(). Original definition on 80.
> > /usr/share/selinux/devel/include/services/container.if:98: Error: duplicate definition of container_search_lib(). Original definition on 98.
> > /usr/share/selinux/devel/include/services/container.if:117: Error: duplicate definition of container_exec_lib(). Original definition on 117.
> > /usr/share/selinux/devel/include/services/container.if:136: Error: duplicate definition of container_read_lib_files(). Original definition on 136.
> > /usr/share/selinux/devel/include/services/container.if:155: Error: duplicate definition of container_read_share_files(). Original definition on 155.
> > /usr/share/selinux/devel/include/services/container.if:176: Error: duplicate definition of container_runtime_read_tmpfs_files(). Original definition on 176.
> > /usr/share/selinux/devel/include/services/container.if:197: Error: duplicate definition of container_manage_share_files(). Original definition on 197.
> > /usr/share/selinux/devel/include/services/container.if:218: Error: duplicate definition of container_manage_share_dirs(). Original definition on 218.
> > /usr/share/selinux/devel/include/services/container.if:238: Error: duplicate definition of container_exec_share_files(). Original definition on 238.
> > /usr/share/selinux/devel/include/services/container.if:256: Error: duplicate definition of container_manage_config_files(). Original definition on 256.
> > /usr/share/selinux/devel/include/services/container.if:275: Error: duplicate definition of container_manage_lib_files(). Original definition on 275.
> > /usr/share/selinux/devel/include/services/container.if:295: Error: duplicate definition of container_manage_files(). Original definition on 295.
> > /usr/share/selinux/devel/include/services/container.if:314: Error: duplicate definition of container_manage_dirs(). Original definition on 314.
> > /usr/share/selinux/devel/include/services/container.if:332: Error: duplicate definition of container_manage_lib_dirs(). Original definition on 332.
> > /usr/share/selinux/devel/include/services/container.if:368: Error: duplicate definition of container_lib_filetrans(). Original definition on 368.
> > /usr/share/selinux/devel/include/services/container.if:386: Error: duplicate definition of container_read_pid_files(). Original definition on 386.
> > /usr/share/selinux/devel/include/services/container.if:405: Error: duplicate definition of container_systemctl(). Original definition on 405.
> > /usr/share/selinux/devel/include/services/container.if:430: Error: duplicate definition of container_rw_sem(). Original definition on 430.
> > /usr/share/selinux/devel/include/services/container.if:449: Error: duplicate definition of container_append_file(). Original definition on 449.
> > /usr/share/selinux/devel/include/services/container.if:467: Error: duplicate definition of container_use_ptys(). Original definition on 467.
> > /usr/share/selinux/devel/include/services/container.if:485: Error: duplicate definition of container_filetrans_named_content(). Original definition on 485.
> > /usr/share/selinux/devel/include/services/container.if:549: Error: duplicate definition of container_stream_connect(). Original definition on 549.
> > /usr/share/selinux/devel/include/services/container.if:570: Error: duplicate definition of container_spc_stream_connect(). Original definition on 570.
> > /usr/share/selinux/devel/include/services/container.if:591: Error: duplicate definition of container_admin(). Original definition on 591.
> > /usr/share/selinux/devel/include/services/container.if:638: Error: duplicate definition of container_auth_domtrans(). Original definition on 638.
> > /usr/share/selinux/devel/include/services/container.if:657: Error: duplicate definition of container_auth_exec(). Original definition on 657.
> > /usr/share/selinux/devel/include/services/container.if:676: Error: duplicate definition of container_auth_stream_connect(). Original definition on 676.
> > /usr/share/selinux/devel/include/services/container.if:695: Error: duplicate definition of container_runtime_typebounds(). Original definition on 695.
> > /usr/share/selinux/devel/include/services/container.if:714: Error: duplicate definition of container_runtime_entrypoint(). Original definition on 714.
> > /usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of docker_exec_lib(). Original definition on 721.
> > /usr/share/selinux/devel/include/services/container.if:725: Error: duplicate definition of docker_read_share_files(). Original definition on 725.
> > /usr/share/selinux/devel/include/services/container.if:729: Error: duplicate definition of docker_exec_share_files(). Original definition on 729.
> > /usr/share/selinux/devel/include/services/container.if:733: Error: duplicate definition of docker_manage_lib_files(). Original definition on 733.
> > /usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of docker_manage_lib_dirs(). Original definition on 738.
> > /usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of docker_lib_filetrans(). Original definition on 742.
> > /usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of docker_read_pid_files(). Original definition on 746.
> > /usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of docker_systemctl(). Original definition on 750.
> > /usr/share/selinux/devel/include/services/container.if:754: Error: duplicate definition of docker_use_ptys(). Original definition on 754.
> > /usr/share/selinux/devel/include/services/container.if:758: Error: duplicate definition of docker_stream_connect(). Original definition on 758.
> > /usr/share/selinux/devel/include/services/container.if:762: Error: duplicate definition of docker_spc_stream_connect(). Original definition on 762.
> > /usr/share/selinux/devel/include/services/container.if:776: Error: duplicate definition of container_spc_read_state(). Original definition on 776.
> > /usr/share/selinux/devel/include/services/container.if:795: Error: duplicate definition of container_runtime_domain_template(). Original definition on 795.
> > /usr/share/selinux/devel/include/services/container.if:833: Error: duplicate definition of container_domain_template(). Original definition on 833.
> > /usr/share/selinux/devel/include/services/container.if:861: Error: duplicate definition of container_spc_rw_pipes(). Original definition on 861.
> > ../selinux/virt.if:13: Error: duplicate definition of virt_stub_lxc(). Original definition on 13.
> > ../selinux/virt.if:29: Error: duplicate definition of virt_stub_svirt_sandbox_domain(). Original definition on 29.
> > ../selinux/virt.if:45: Error: duplicate definition of virt_stub_container_image(). Original definition on 45.
> > ../selinux/virt.if:51: Error: duplicate definition of virt_stub_svirt_sandbox_file(). Original definition on 51.
> > ../selinux/virt.if:69: Error: duplicate definition of virt_domain_template(). Original definition on 69.
> > ../selinux/virt.if:206: Error: duplicate definition of virt_image(). Original definition on 112.
> > ../selinux/virt.if:228: Error: duplicate definition of virt_getattr_exec(). Original definition on 134.
> > ../selinux/virt.if:248: Error: duplicate definition of virt_domtrans(). Original definition on 152.
> > ../selinux/virt.if:266: Error: duplicate definition of virt_exec(). Original definition on 170.
> > ../selinux/virt.if:286: Error: duplicate definition of virt_stream_connect(). Original definition on 205.
> > ../selinux/virt.if:328: Error: duplicate definition of virt_stream_connect_svirt(). Original definition on 224.
> > ../selinux/virt.if:348: Error: duplicate definition of virt_rw_stream_sockets_svirt(). Original definition on 244.
> > ../selinux/virt.if:366: Error: duplicate definition of virt_attach_tun_iface(). Original definition on 262.
> > ../selinux/virt.if:387: Error: duplicate definition of virt_attach_sandbox_tun_iface(). Original definition on 281.
> > ../selinux/virt.if:406: Error: duplicate definition of virt_read_config(). Original definition on 300.
> > ../selinux/virt.if:427: Error: duplicate definition of virt_manage_config(). Original definition on 321.
> > ../selinux/virt.if:448: Error: duplicate definition of virt_getattr_content(). Original definition on 342.
> > ../selinux/virt.if:466: Error: duplicate definition of virt_read_content(). Original definition on 360.
> > ../selinux/virt.if:504: Error: duplicate definition of virt_write_content(). Original definition on 398.
> > ../selinux/virt.if:522: Error: duplicate definition of virt_read_pid_symlinks(). Original definition on 416.
> > ../selinux/virt.if:543: Error: duplicate definition of virt_read_pid_files(). Original definition on 435.
> > ../selinux/virt.if:566: Error: duplicate definition of virt_manage_pid_dirs(). Original definition on 455.
> > ../selinux/virt.if:590: Error: duplicate definition of virt_manage_pid_files(). Original definition on 477.
> > ../selinux/virt.if:630: Error: duplicate definition of virt_pid_filetrans(). Original definition on 515.
> > ../selinux/virt.if:650: Error: duplicate definition of virt_search_lib(). Original definition on 533.
> > ../selinux/virt.if:669: Error: duplicate definition of virt_read_lib_files(). Original definition on 552.
> > ../selinux/virt.if:690: Error: duplicate definition of virt_dontaudit_read_lib_files(). Original definition on 573.
> > ../selinux/virt.if:709: Error: duplicate definition of virt_manage_lib_files(). Original definition on 592.
> > ../selinux/virt.if:729: Error: duplicate definition of virt_read_log(). Original definition on 612.
> > ../selinux/virt.if:749: Error: duplicate definition of virt_append_log(). Original definition on 632.
> > ../selinux/virt.if:768: Error: duplicate definition of virt_manage_log(). Original definition on 651.
> > ../selinux/virt.if:788: Error: duplicate definition of virt_getattr_images(). Original definition on 671.
> > ../selinux/virt.if:807: Error: duplicate definition of virt_search_images(). Original definition on 690.
> > ../selinux/virt.if:826: Error: duplicate definition of virt_read_images(). Original definition on 709.
> > ../selinux/virt.if:863: Error: duplicate definition of virt_read_blk_images(). Original definition on 746.
> > ../selinux/virt.if:881: Error: duplicate definition of virt_rw_chr_files(). Original definition on 764.
> > ../selinux/virt.if:900: Error: duplicate definition of virt_manage_cache(). Original definition on 783.
> > ../selinux/virt.if:921: Error: duplicate definition of virt_manage_images(). Original definition on 804.
> > ../selinux/virt.if:946: Error: duplicate definition of virt_manage_default_image_type(). Original definition on 829.
> > ../selinux/virt.if:986: Error: duplicate definition of virt_systemctl(). Original definition on 851.
> > ../selinux/virt.if:1010: Error: duplicate definition of virt_ptrace(). Original definition on 875.
> > ../selinux/virt.if:1028: Error: duplicate definition of virt_exec_sandbox_files(). Original definition on 893.
> > ../selinux/virt.if:1047: Error: duplicate definition of virt_sandbox_entrypoint(). Original definition on 912.
> > ../selinux/virt.if:1064: Error: duplicate definition of virt_list_sandbox_dirs(). Original definition on 929.
> > ../selinux/virt.if:1082: Error: duplicate definition of virt_read_sandbox_files(). Original definition on 947.
> > ../selinux/virt.if:1102: Error: duplicate definition of virt_manage_sandbox_files(). Original definition on 967.
> > ../selinux/virt.if:1125: Error: duplicate definition of virt_getattr_sandbox_filesystem(). Original definition on 990.
> > ../selinux/virt.if:1143: Error: duplicate definition of virt_relabel_sandbox_filesystem(). Original definition on 1008.
> > ../selinux/virt.if:1161: Error: duplicate definition of virt_mounton_sandbox_file(). Original definition on 1026.
> > ../selinux/virt.if:1179: Error: duplicate definition of virt_stream_connect_sandbox(). Original definition on 1044.
> > ../selinux/virt.if:1207: Error: duplicate definition of virt_transition_svirt(). Original definition on 1072.
> > ../selinux/virt.if:1241: Error: duplicate definition of virt_dontaudit_write_pipes(). Original definition on 1106.
> > ../selinux/virt.if:1260: Error: duplicate definition of virt_kill_svirt(). Original definition on 1125.
> > ../selinux/virt.if:1278: Error: duplicate definition of virt_kill(). Original definition on 1143.
> > ../selinux/virt.if:1298: Error: duplicate definition of virt_signal(). Original definition on 1161.
> > ../selinux/virt.if:1318: Error: duplicate definition of virt_signull(). Original definition on 1179.
> > ../selinux/virt.if:1338: Error: duplicate definition of virt_signal_svirt(). Original definition on 1197.
> > ../selinux/virt.if:1356: Error: duplicate definition of virt_signal_sandbox(). Original definition on 1215.
> > ../selinux/virt.if:1374: Error: duplicate definition of virt_manage_home_files(). Original definition on 1233.
> > ../selinux/virt.if:1394: Error: duplicate definition of virt_read_tmpfs_files(). Original definition on 1253.
> > ../selinux/virt.if:1413: Error: duplicate definition of virt_manage_tmpfs_files(). Original definition on 1272.
> > ../selinux/virt.if:1432: Error: duplicate definition of virt_filetrans_home_content(). Original definition on 1291.
> > ../selinux/virt.if:1462: Error: duplicate definition of virt_dontaudit_read_chr_dev(). Original definition on 1321.
> > ../selinux/virt.if:1518: Error: duplicate definition of virt_sandbox_domain_template(). Original definition on 1340.
> > ../selinux/virt.if:1550: Error: duplicate definition of virt_sandbox_domain(). Original definition on 1372.
> > ../selinux/virt.if:1568: Error: duplicate definition of virt_sandbox_net_domain(). Original definition on 1390.
> > ../selinux/virt.if:1605: Error: duplicate definition of virt_exec_qemu(). Original definition on 1409.
> > ../selinux/virt.if:1623: Error: duplicate definition of virt_filetrans_named_content(). Original definition on 1427.
> > ../selinux/virt.if:1651: Error: duplicate definition of virt_transition_svirt_sandbox(). Original definition on 1455.
> > ../selinux/virt.if:1676: Error: duplicate definition of virt_sandbox_read_state(). Original definition on 1480.
> > ../selinux/virt.if:1694: Error: duplicate definition of virt_rw_svirt_dev(). Original definition on 1498.
> > ../selinux/virt.if:1712: Error: duplicate definition of virt_rw_svirt_image(). Original definition on 1516.
> > ../selinux/virt.if:1730: Error: duplicate definition of virt_rlimitinh(). Original definition on 1534.
> > ../selinux/virt.if:1748: Error: duplicate definition of virt_noatsecure(). Original definition on 1552.
> > ../selinux/virt.if:1773: Error: duplicate definition of virt_admin(). Original definition on 1577.
> > ../selinux/virt.if:1820: Error: duplicate definition of virt_default_capabilities(). Original definition on 1622.
> > ../selinux/virt.if:1839: Error: duplicate definition of virt_dbus_chat(). Original definition on 1642.
> > ../selinux/virt.if:1879: Error: duplicate definition of virt_sandbox_domtrans(). Original definition on 1678.
> > ../selinux/virt.if:1897: Error: duplicate definition of virt_dontaudit_read_state(). Original definition on 1696.
> > ../selinux/virt.if:1917: Error: duplicate definition of virt_dgram_send(). Original definition on 1716.
> > ../selinux/virt.if:1956: Error: duplicate definition of virt_svirt_manage_tmp(). Original definition on 1735.
> 
> Those are expected as long as there is still virt.if interface file shipped
> by selinux-policy-* packages (we'll probably change the tone to Warning
> instead of Error in the future). Unfortunately they add up (you can see
> container-selinux messages as well).
> 
> I can hide them in the compilation script if you prefer that.

Yes, we definitely need to hide these if they're going to happen every
time any developers builds libvirt. We need to /not/ hide any other
real error messages though.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list