[PATCH v2 1/4] Add SELinux policy for virt
Daniel P. Berrangé
berrange at redhat.com
Wed Apr 28 09:29:36 UTC 2021
On Wed, Apr 28, 2021 at 10:48:09AM +0200, Vit Mojzis wrote:
>
> On 4/26/21 7:39 PM, Daniel P. Berrangé wrote:
> > On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
> > > From: Nikola Knazekova <nknazeko at redhat.com>
> > >
> > > SELinux policy was created for:
> > >
> > > Hypervisor drivers:
> > > - virtqemud (QEMU/KVM)
> > > - virtlxcd (LXC)
> > > - virtvboxd (VirtualBox)
> > >
> > > Secondary drivers:
> > > - virtstoraged (host storage mgmt)
> > > - virtnetworkd (virtual network mgmt)
> > > - virtinterface (network interface mgmt)
> > > - virtnodedevd (physical device mgmt)
> > > - virtsecretd (security credential mgmt)
> > > - virtnwfilterd (ip[6]tables/ebtables mgmt)
> > > - virtproxyd (proxy daemon)
> > >
> > > SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made.
> > >
> > > Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
> > > ---
> > > libvirt.spec.in | 64 ++
> > > selinux/virt.fc | 111 +++
> > > selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
> > > selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++
> > > 4 files changed, 4245 insertions(+)
> > > create mode 100644 selinux/virt.fc
> > > create mode 100644 selinux/virt.if
> > > create mode 100644 selinux/virt.te
> > I was expecting to see the /etc/selinux/targeted/contexts/ files
> > that belong to the virt policy included as well.
>
> Those are compiled from the whole policy and would not be created without
> the corresponding selinux-policy-* package.
AFAICT, these are not compiled at all, they're just static data files
in git:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/config/appconfig-mcs/virtual_domain_context
They're refering to contexts that are defined in the virt.if policy,
so I'd expect the static data files to live with libvirt.git, so that
we can add to them at a later time if we modify virt.if
> > > diff --git a/selinux/virt.te b/selinux/virt.te
> > > new file mode 100644
> > > index 0000000000..59dedb8754
> > > --- /dev/null
> > > +++ b/selinux/virt.te
> > > @@ -0,0 +1,2086 @@
> > > +policy_module(virt, 1.5.0)
> > Is there some include file syntax we can use with this so
> > that we can split it up. I'm not asking you to split it,
> > but I'll later want to make it have one file for each daemon
> > and a few files for the common pieces, to make this easier
> > to manage.
> I'm not aware of any include syntax other than .if files. In theory you
> could use multiple interface files, each containing an interface covering a
> single daemon. All of those interfaces would then be "called" from virt.te.
>
> Other than that you'd need to have multiple policy modules in order to use
> multiple .te files.
Or probably easiest if we just pre-process the files ourselves to combine
them
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list