[libvirt PATCH 01/13] security: add SELinux policy for virt
Pavel Hrdina
phrdina at redhat.com
Tue Aug 10 08:39:23 UTC 2021
On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote:
> From: Nikola Knazekova <nknazeko at redhat.com>
>
> SELinux policy was created for:
>
> Hypervisor drivers:
> - virtqemud (QEMU/KVM)
> - virtlxcd (LXC)
> - virtvboxd (VirtualBox)
>
> Secondary drivers:
> - virtstoraged (host storage mgmt)
> - virtnetworkd (virtual network mgmt)
> - virtinterface (network interface mgmt)
> - virtnodedevd (physical device mgmt)
> - virtsecretd (security credential mgmt)
> - virtnwfilterd (ip[6]tables/ebtables mgmt)
> - virtproxyd (proxy daemon)
>
> SELinux policy for virtvxz and virtxend has not been created yet,
> because I wasn't able to reproduce AVC messages. These drivers
> run in unconfined_domain until the AVC messages are reproduced
> internally and policy for these drivers is made.
>
> Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
> ---
> src/security/selinux/virt.fc | 111 ++
> src/security/selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++
> src/security/selinux/virt.te | 2078 ++++++++++++++++++++++++++++++++++
> 3 files changed, 4173 insertions(+)
> create mode 100644 src/security/selinux/virt.fc
> create mode 100644 src/security/selinux/virt.if
> create mode 100644 src/security/selinux/virt.te
>
> diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc
> new file mode 100644
> index 0000000000..554e1094d9
> --- /dev/null
> +++ b/src/security/selinux/virt.fc
> @@ -0,0 +1,111 @@
> +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
> +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
> +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
> +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
> +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
> +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
> +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
> +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
These two doesn't look like libvirt selinux bits, more like virt-manager
or some other tool.
> +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
> +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
> +
> +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
> +/etc/libvirt/virtlogd\.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0)
> +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
> +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
> +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
> +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)
> +
> +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
> +
> +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
> +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
> +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
> +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
> +
> +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0)
> +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
> +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0)
> +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0)
> +/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0)
> +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0)
> +/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0)
> +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0)
> +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0)
> +/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0)
> +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0)
> +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0)
> +
> +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
> +
> +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
> +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
> +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
> +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
> +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0)
> +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
> +
> +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
Based on commit from selinux-policy 63ead48cf8 this seems vdsm related.
I don't think that we use this directory in libvirt.
> +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
> +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
> +# Avoid calling m4's "interface" by using en empty string
> +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
> +/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
> +/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
> +/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
> +/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
> +
> +/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0)
> +/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
> +/var/run/virtqemud\.pid -- gen_context(system_u:object_r:virtqemud_var_run_t,s0)
> +/var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
> +/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
> +/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
> +/var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
> +/var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
> +/var/run/virtnwfilterd\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
> +/var/run/virtnwfilterd-binding\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
> +/var/run/virtsecretd\.pid -- gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
> +/var/run/virtstoraged\.pid -- gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
[...]
I was not able to figure out on which selinux policy is this one based
on as the upstream for rawhide from <https://github.com/fedora-selinux/selinux-policy.git>
is a bit different. There are some cosmetics changes but I see two major
differences:
- the upstream policy doesn't have split-daemon bits compared to
this one, I checked it and it looks reasonable but I'm not that
familiar with selinux policy
- the upstream policy has important `system.token` issue fix that
we've seen recently introduced by upstream commit <1f761d0bbd>
Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20210810/89c01f84/attachment-0001.sig>
More information about the libvir-list
mailing list