[libvirt PATCH 00/13] selinux: introduce sVirt policy and build

Pavel Hrdina phrdina at redhat.com
Tue Aug 10 09:12:59 UTC 2021 

On Fri, Aug 06, 2021 at 06:47:57PM +0100, Daniel P. Berrangé wrote:
> This is an extension of
> 
>   https://listman.redhat.com/archives/libvir-list/2021-July/msg00167.html
> 
> The original patches from that series are unchanged apart from the
> commit message, and tweak to the min fedora version in the RPM.
> 
> I then include various refactors/cleanups.
> 
> On Fedora 34 I notice the following:
> 
> ../src/security/selinux/virt.te:579: Warning: fs_rw_anon_inodefs_files(virtd_t) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:580: Warning: fs_list_inotifyfs(virtd_t) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:985: Warning: fs_rw_anon_inodefs_files(virt_domain) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:1520: Warning: fs_list_inotifyfs(svirt_sandbox_domain) has been deprecated. All calls can be safely removed.
> 
> assuming those warnings are correct, we can delete a few things
> from the policy, but that's not done here.
> 
> Daniel P. Berrangé (10):
>   selinux: remove redundant use of 'set_variable' function
>   selinux: move selinux policy build helper to scripts directory
>   selinux: don't hardcode paths to selinux tools
>   selinux: don't hardcode policy include files directory
>   rpm: move logic for setting selinux policy variables
>   rpm: rename selinux variables to improve clarity
>   selinux: introduce meson option for selinux policy install
>   selinux: remove duplicate sources list for policy
>   scripts: use variables for cli args in selinux helper
>   scripts: factor repeated path joins from selinux helper
> 
> Nikola Knazekova (1):
>   security: add SELinux policy for virt
> 
> Vit Mojzis (2):
>   selinux: introduce build, install, packaging for selinux policy
>   Install selinux-policy-devel in test environment

Overall looks reasonable, there are some small issues and we should
clarify where the policy comes from and add the missing system.token
bits.

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20210810/aa880af7/attachment-0001.sig>

More information about the libvir-list mailing list