[PATCH v2] Add SELinux policy for virt

Fri Jun 18 13:56:23 UTC 2021

On 24. 05. 21 14:36, Daniel P. Berrangé wrote:
> On Mon, May 24, 2021 at 05:25:19AM -0700, Andrea Bolognani wrote:
>> On Fri, May 21, 2021 at 03:37:00PM +0100, Daniel P. Berrangé wrote:
>>> On Fri, May 21, 2021 at 04:22:59PM +0200, Vit Mojzis wrote:
>>>> On 4/30/21 10:28 PM, Vit Mojzis wrote:
>>>>> On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
>>>>>> On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
>>>>>>> Sorry for the long delay. This is our first request to ship a
>>>>>>> policy for
>>>>>>> multiple selinux stores (targeted, mls and minimum).
>>>>>>>
>>>>>>> Changes:
>>>>>>> * Replace all selinux-policy-%{policytype} dependencies with
>>>>>>> selinux-policy-base
>>>>>>> * Add Ghost files representing installed policy modules in all
>>>>>>> policy stores
>>>>>>> * Rewrite policy compilation script in python
>>>>>>> * Compile the policy module twice (1 version for
>>>>>>> targeted/minimum - with
>>>>>>>     enable_mcs, and 1 for mls - with enable_mls)
>>>>>>> * Manage policy (un)installation using triggers based on which policy
>>>>>>>     type is available
>>>>>>>
>>>>>>> The new policy was only tested in "targeted" mode so far and
>>>>>>> we'll need to make
>>>>>>> sure it works properly in "mls". As for "minimum", we know it will not
>>>>>>> work properly (as is the case of the current policy) by default (some
>>>>>>> other "contrib" policy modules need to be enabled).
>>>>>>> I'd argue there is no point trying to get it to work in "minimum",
>>>>>>> mostly because it (minimum) will be retired soon.
>>>>>> I'm wondering how SELinux is supposed to integrate with containers when
>>>>>> using a modular policy.
>>>>>>
>>>>>> Right now you can install RPMs in a container, and use selinux
>>>>>> enforcement
>>>>>> on that container because the host OS policy provides all the rules
>>>>>> in the
>>>>>> monolithic blob.
>>>>>> If we take this policy into libvirt, then when you install libvirt in a
>>>>>> container, there will be no selinux policy available.
>>>>>>
>>>>>> Users can't install libvirt-selinux inside the container, as it
>>>>>> needs to be
>>>>>> built against the main policy in the host.
>>>>>>
>>>>>> User likely won't install libvirt-selinux outside the container as that
>>>>>> defeats the purpose of using containers for their deployment mechanism.
>>>>>>
>>>>>> Container based deployment of libvirt is important for both OpenStack
>>>>>> and KubeVirt.
>>>> So from discussions with respective developers i got the following:
>>>>
>>>> KubeVirt runs the libvirt containers with a custom policy https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
>>>> that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is only
>>>> installed inside the container and there is no bind mount of
>>>> /sys/fs/selinux. So they will need to install libvirt-daemon-selinux on the
>>>> host.
>>> With OpenStack I believe their deployment tool manages the config of
>>> the entire host, so installing the libvirt-daemon-selinux package
>>> ought to be reasonably straightforward for them.
>>>
>>> I worry about KubeVirt though. IIUC in their deployment, the hosts
>>> in use are all provisioned by OpenShift upfront & when KubeVirt is
>>> deployed, the only pieces they're deploying live inside the host.
>>>
>>> IOW, it seems like libvirt-daemon-selinux would have to be provided
>>> ahead of time by OpenShift if it is to be used, and I'm not sure
>>> if that's a practical requirement.
>>>
>>> I think we need to get explicit confirmation from KubeVirt that
>>> a requirement to installing RPMs directly on the host is going
>>> to be acceptable.
>> I'm afraid that's not going to fly for KubeVirt.
>>
>> Adding Roman and Vladik so they can provide more information.
>>
>> For context, the discussion is about shipping the SELinux policy
>> for libvirt as part of a sub-package of libvirt instead of the main
>> selinux-policy package.
> Reading again, I realize Vit links to a URL above that shows
> virt-handler  includes a custom selinux policy.
>
> How does that get deployed, and can the libvirt-daemon-selinux
> stuff be deployed in the same way ?

Based on a quick look at virt-handler it seems like the policy is 
installed by installPolicy in cmd/virt-handler/virt-handler.go, which 
just calls "semodule -i".

Shipping the policy is much more straight-forward in this case, since 
it's in "cil" format, which means it does not need to be compiled before 
installation.

I expect that it would be easier to include virt-daemon-selinux as a 
dependency, instead of managing the virt policy.

Vit

>
> Regards,
> Daniel